Replace stream usage with for loops

Closes gh-401

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/InMemoryOAuth2AuthorizationService.java

@@ -97,10 +97,12 @@ public final class InMemoryOAuth2AuthorizationService implements OAuth2Authoriza
 	@Override
 	public OAuth2Authorization findByToken(String token, @Nullable OAuth2TokenType tokenType) {
 		Assert.hasText(token, "token cannot be empty");
-		return this.authorizations.values().stream()
+		for (OAuth2Authorization authorization : this.authorizations.values()) {
-				.filter(authorization -> hasToken(authorization, token, tokenType))
+			if (hasToken(authorization, token, tokenType)) {
-				.findFirst()
+				return authorization;
-				.orElse(null);
+			}
+		}
+		return null;
 	}
 
 	private static boolean hasToken(OAuth2Authorization authorization, String token, @Nullable OAuth2TokenType tokenType) {

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java

@@ -150,11 +150,12 @@ public class OAuth2Authorization implements Serializable {
 	@SuppressWarnings("unchecked")
 	public <T extends OAuth2Token> Token<T> getToken(String tokenValue) {
 		Assert.hasText(tokenValue, "tokenValue cannot be empty");
-		Token<?> token = this.tokens.values().stream()
+		for (Token<?> token : this.tokens.values()) {
-				.filter(t -> t.getToken().getTokenValue().equals(tokenValue))
+			if (token.getToken().getTokenValue().equals(tokenValue)) {
-				.findFirst()
+				return (Token<T>) token;
-				.orElse(null);
+			}
-		return token != null ? (Token<T>) token : null;
+		}
+		return null;
 	}
 
 	/**

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationConsent.java

@@ -21,7 +21,6 @@ import java.util.HashSet;
 import java.util.Objects;
 import java.util.Set;
 import java.util.function.Consumer;
-import java.util.stream.Collectors;
 
 import org.springframework.lang.NonNull;
 import org.springframework.security.core.GrantedAuthority;
@@ -91,11 +90,13 @@ public final class OAuth2AuthorizationConsent implements Serializable {
 	 * @return the {@code scope}s granted to the client by the principal.
 	 */
 	public Set<String> getScopes() {
-		return getAuthorities().stream()
+		Set<String> authorities = new HashSet<>();
-				.map(GrantedAuthority::getAuthority)
+		for (GrantedAuthority authority : getAuthorities()) {
-				.filter(authority -> authority.startsWith(AUTHORITIES_SCOPE_PREFIX))
+			if (authority.getAuthority().startsWith(AUTHORITIES_SCOPE_PREFIX)) {
-				.map(scope -> scope.replaceFirst(AUTHORITIES_SCOPE_PREFIX, ""))
+				authorities.add(authority.getAuthority().replaceFirst(AUTHORITIES_SCOPE_PREFIX, ""));
-				.collect(Collectors.toSet());
+			}
+		}
+		return authorities;
 	}
 
 	@Override

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java

@@ -18,7 +18,6 @@ package org.springframework.security.oauth2.server.authorization.authentication;
 import java.security.Principal;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
-import java.util.Arrays;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.HashMap;
@@ -448,7 +447,10 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationProvider implemen
 			return false;
 		}
 		try {
-			int[] address = Arrays.stream(ipv4Octets).mapToInt(Integer::parseInt).toArray();
+			int[] address = new int[ipv4Octets.length];
+			for (int i=0; i < ipv4Octets.length; i++) {
+				address[i] = Integer.parseInt(ipv4Octets[i]);
+			}
 			return address[0] == 127 && address[1] >= 0 && address[1] <= 255 && address[2] >= 0 &&
 					address[2] <= 255 && address[3] >= 1 && address[3] <= 255;
 		} catch (NumberFormatException ex) {

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java

@@ -18,7 +18,6 @@ package org.springframework.security.oauth2.server.authorization.authentication;
 import java.util.LinkedHashSet;
 import java.util.Set;
 import java.util.function.Consumer;
-import java.util.stream.Collectors;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationProvider;
@@ -34,12 +33,12 @@ import org.springframework.security.oauth2.jwt.JoseHeader;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtClaimsSet;
 import org.springframework.security.oauth2.jwt.JwtEncoder;
+import org.springframework.security.oauth2.server.authorization.JwtEncodingContext;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
-import org.springframework.security.oauth2.server.authorization.JwtEncodingContext;
-import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
 import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
 
@@ -112,12 +111,11 @@ public final class OAuth2ClientCredentialsAuthenticationProvider implements Auth
 
 		Set<String> authorizedScopes = registeredClient.getScopes();		// Default to configured scopes
 		if (!CollectionUtils.isEmpty(clientCredentialsAuthentication.getScopes())) {
-			Set<String> unauthorizedScopes = clientCredentialsAuthentication.getScopes().stream()
+			for (String requestedScope : clientCredentialsAuthentication.getScopes()) {
-					.filter(requestedScope -> !registeredClient.getScopes().contains(requestedScope))
+				if (!registeredClient.getScopes().contains(requestedScope)) {
-					.collect(Collectors.toSet());
-			if (!CollectionUtils.isEmpty(unauthorizedScopes)) {
 					throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_SCOPE));
 				}
+			}
 			authorizedScopes = new LinkedHashSet<>(clientCredentialsAuthentication.getScopes());
 		}
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilter.java

@@ -16,8 +16,8 @@
 package org.springframework.security.oauth2.server.authorization.web;
 
 import java.io.IOException;
+import java.util.HashMap;
 import java.util.Map;
-import java.util.stream.Collectors;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
@@ -161,14 +161,13 @@ public final class OAuth2TokenIntrospectionEndpointFilter extends OncePerRequest
 				throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.TOKEN_TYPE_HINT);
 			}
 
-			// @formatter:off
+			Map<String, Object> additionalParameters = new HashMap<>();
-			Map<String, Object> additionalParameters = parameters
+			parameters.forEach((key, value) -> {
-					.entrySet()
+				if (!key.equals(OAuth2ParameterNames.TOKEN) &&
-					.stream()
+						!key.equals(OAuth2ParameterNames.TOKEN_TYPE_HINT)) {
-					.filter(e -> !e.getKey().equals(OAuth2ParameterNames.TOKEN) &&
+					additionalParameters.put(key, value.get(0));
-							!e.getKey().equals(OAuth2ParameterNames.TOKEN_TYPE_HINT))
+				}
-					.collect(Collectors.toMap(Map.Entry::getKey, e -> e.getValue().get(0)));
+			});
-			// @formatter:on
 
 			return new OAuth2TokenIntrospectionAuthenticationToken(
 					token, clientPrincipal, tokenTypeHint, additionalParameters);

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/DelegatingAuthenticationConverter.java

@@ -18,7 +18,6 @@ package org.springframework.security.oauth2.server.authorization.web.authenticat
 import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
-import java.util.Objects;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -56,12 +55,12 @@ public final class DelegatingAuthenticationConverter implements AuthenticationCo
 	@Override
 	public Authentication convert(HttpServletRequest request) {
 		Assert.notNull(request, "request cannot be null");
-		// @formatter:off
+		for (AuthenticationConverter converter : this.converters) {
-		return this.converters.stream()
+			Authentication authentication = converter.convert(request);
-				.map(converter -> converter.convert(request))
+			if (authentication != null) {
-				.filter(Objects::nonNull)
+				return authentication;
-				.findFirst()
+			}
-				.orElse(null);
+		}
-		// @formatter:on
+		return null;
 	}
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeAuthenticationConverter.java

@@ -15,8 +15,8 @@
  */
 package org.springframework.security.oauth2.server.authorization.web.authentication;
 
+import java.util.HashMap;
 import java.util.Map;
-import java.util.stream.Collectors;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -78,16 +78,15 @@ public final class OAuth2AuthorizationCodeAuthenticationConverter implements Aut
 					OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI);
 		}
 
-		// @formatter:off
+		Map<String, Object> additionalParameters = new HashMap<>();
-		Map<String, Object> additionalParameters = parameters
+		parameters.forEach((key, value) -> {
-				.entrySet()
+			if (!key.equals(OAuth2ParameterNames.GRANT_TYPE) &&
-				.stream()
+					!key.equals(OAuth2ParameterNames.CLIENT_ID) &&
-				.filter(e -> !e.getKey().equals(OAuth2ParameterNames.GRANT_TYPE) &&
+					!key.equals(OAuth2ParameterNames.CODE) &&
-						!e.getKey().equals(OAuth2ParameterNames.CLIENT_ID) &&
+					!key.equals(OAuth2ParameterNames.REDIRECT_URI)) {
-						!e.getKey().equals(OAuth2ParameterNames.CODE) &&
+				additionalParameters.put(key, value.get(0));
-						!e.getKey().equals(OAuth2ParameterNames.REDIRECT_URI))
+			}
-				.collect(Collectors.toMap(Map.Entry::getKey, e -> e.getValue().get(0)));
+		});
-        // @formatter:on
 
 		return new OAuth2AuthorizationCodeAuthenticationToken(
 				code, clientPrincipal, redirectUri, additionalParameters);

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java

@@ -16,10 +16,10 @@
 package org.springframework.security.oauth2.server.authorization.web.authentication;
 
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
-import java.util.stream.Collectors;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -139,17 +139,16 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationConverter impleme
 			throwError(OAuth2ErrorCodes.INVALID_REQUEST, PkceParameterNames.CODE_CHALLENGE_METHOD, PKCE_ERROR_URI);
 		}
 
-		// @formatter:off
+		Map<String, Object> additionalParameters = new HashMap<>();
-		Map<String, Object> additionalParameters = parameters
+		parameters.forEach((key, value) -> {
-				.entrySet()
+			if (!key.equals(OAuth2ParameterNames.RESPONSE_TYPE) &&
-				.stream()
+					!key.equals(OAuth2ParameterNames.CLIENT_ID) &&
-				.filter(e -> !e.getKey().equals(OAuth2ParameterNames.RESPONSE_TYPE) &&
+					!key.equals(OAuth2ParameterNames.REDIRECT_URI) &&
-						!e.getKey().equals(OAuth2ParameterNames.CLIENT_ID) &&
+					!key.equals(OAuth2ParameterNames.SCOPE) &&
-						!e.getKey().equals(OAuth2ParameterNames.REDIRECT_URI) &&
+					!key.equals(OAuth2ParameterNames.STATE)) {
-						!e.getKey().equals(OAuth2ParameterNames.SCOPE) &&
+				additionalParameters.put(key, value.get(0));
-						!e.getKey().equals(OAuth2ParameterNames.STATE))
+			}
-				.collect(Collectors.toMap(Map.Entry::getKey, e -> e.getValue().get(0)));
+		});
-        // @formatter:on
 
 		return OAuth2AuthorizationCodeRequestAuthenticationToken.with(clientId, principal)
 				.authorizationUri(authorizationUri)

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2ClientCredentialsAuthenticationConverter.java

@@ -16,10 +16,10 @@
 package org.springframework.security.oauth2.server.authorization.web.authentication;
 
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
-import java.util.stream.Collectors;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -75,14 +75,13 @@ public final class OAuth2ClientCredentialsAuthenticationConverter implements Aut
 					Arrays.asList(StringUtils.delimitedListToStringArray(scope, " ")));
 		}
 
-		// @formatter:off
+		Map<String, Object> additionalParameters = new HashMap<>();
-		Map<String, Object> additionalParameters = parameters
+		parameters.forEach((key, value) -> {
-				.entrySet()
+			if (!key.equals(OAuth2ParameterNames.GRANT_TYPE) &&
-				.stream()
+					!key.equals(OAuth2ParameterNames.SCOPE)) {
-				.filter(e -> !e.getKey().equals(OAuth2ParameterNames.GRANT_TYPE) &&
+				additionalParameters.put(key, value.get(0));
-						!e.getKey().equals(OAuth2ParameterNames.SCOPE))
+			}
-				.collect(Collectors.toMap(Map.Entry::getKey, e -> e.getValue().get(0)));
+		});
-        // @formatter:on
 
 		return new OAuth2ClientCredentialsAuthenticationToken(
 				clientPrincipal, requestedScopes, additionalParameters);

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2RefreshTokenAuthenticationConverter.java

@@ -16,10 +16,10 @@
 package org.springframework.security.oauth2.server.authorization.web.authentication;
 
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
-import java.util.stream.Collectors;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -85,15 +85,14 @@ public final class OAuth2RefreshTokenAuthenticationConverter implements Authenti
 					Arrays.asList(StringUtils.delimitedListToStringArray(scope, " ")));
 		}
 
-		// @formatter:off
+		Map<String, Object> additionalParameters = new HashMap<>();
-		Map<String, Object> additionalParameters = parameters
+		parameters.forEach((key, value) -> {
-				.entrySet()
+			if (!key.equals(OAuth2ParameterNames.GRANT_TYPE) &&
-				.stream()
+					!key.equals(OAuth2ParameterNames.REFRESH_TOKEN) &&
-				.filter(e -> !e.getKey().equals(OAuth2ParameterNames.GRANT_TYPE) &&
+					!key.equals(OAuth2ParameterNames.SCOPE)) {
-						!e.getKey().equals(OAuth2ParameterNames.REFRESH_TOKEN) &&
+				additionalParameters.put(key, value.get(0));
-						!e.getKey().equals(OAuth2ParameterNames.SCOPE))
+			}
-				.collect(Collectors.toMap(Map.Entry::getKey, e -> e.getValue().get(0)));
+		});
-        // @formatter:on
 
 		return new OAuth2RefreshTokenAuthenticationToken(
 				refreshToken, clientPrincipal, requestedScopes, additionalParameters);

oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java

@@ -24,9 +24,9 @@ import java.text.MessageFormat;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.Base64;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
-import java.util.stream.Collectors;
 
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.source.JWKSource;
@@ -273,9 +273,11 @@ public class OAuth2AuthorizationCodeGrantTests {
 		Jwt jwt = this.jwtDecoder.decode(accessTokenResponse.getAccessToken().getTokenValue());
 		List<String> authoritiesClaim = jwt.getClaim(AUTHORITIES_CLAIM);
 		Authentication principal = authorization.getAttribute(Principal.class.getName());
-		Set<String> userAuthorities = principal.getAuthorities().stream()
+		Set<String> userAuthorities = new HashSet<>();
-				.map(GrantedAuthority::getAuthority)
+		for (GrantedAuthority authority : principal.getAuthorities()) {
-				.collect(Collectors.toSet());
+			userAuthorities.add(authority.getAuthority());
+		}
+
 		assertThat(authoritiesClaim).containsExactlyInAnyOrderElementsOf(userAuthorities);
 	}
 
@@ -612,9 +614,10 @@ public class OAuth2AuthorizationCodeGrantTests {
 				if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(context.getAuthorizationGrantType()) &&
 						OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
 					Authentication principal = context.getPrincipal();
-					Set<String> authorities = principal.getAuthorities().stream()
+					Set<String> authorities = new HashSet<>();
-							.map(GrantedAuthority::getAuthority)
+					for (GrantedAuthority authority : principal.getAuthorities()) {
-							.collect(Collectors.toSet());
+						authorities.add(authority.getAuthority());
+					}
 					context.getClaims().claim(AUTHORITIES_CLAIM, authorities);
 				}
 			};

oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java

@@ -19,9 +19,9 @@ import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.security.Principal;
 import java.util.Base64;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
-import java.util.stream.Collectors;
 
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.source.JWKSource;
@@ -174,9 +174,10 @@ public class OAuth2RefreshTokenGrantTests {
 		Jwt jwt = jwtDecoder.decode(accessTokenResponse.getAccessToken().getTokenValue());
 		List<String> authoritiesClaim = jwt.getClaim(AUTHORITIES_CLAIM);
 		Authentication principal = authorization.getAttribute(Principal.class.getName());
-		Set<String> userAuthorities = principal.getAuthorities().stream()
+		Set<String> userAuthorities = new HashSet<>();
-				.map(GrantedAuthority::getAuthority)
+		for (GrantedAuthority authority : principal.getAuthorities()) {
-				.collect(Collectors.toSet());
+			userAuthorities.add(authority.getAuthority());
+		}
 		assertThat(authoritiesClaim).containsExactlyInAnyOrderElementsOf(userAuthorities);
 	}
 
@@ -231,9 +232,10 @@ public class OAuth2RefreshTokenGrantTests {
 			return context -> {
 				if (AuthorizationGrantType.REFRESH_TOKEN.equals(context.getAuthorizationGrantType())) {
 					Authentication principal = context.getPrincipal();
-					Set<String> authorities = principal.getAuthorities().stream()
+					Set<String> authorities = new HashSet<>();
-							.map(GrantedAuthority::getAuthority)
+					for (GrantedAuthority authority : principal.getAuthorities()) {
-							.collect(Collectors.toSet());
+						authorities.add(authority.getAuthority());
+					}
 					context.getClaims().claim(AUTHORITIES_CLAIM, authorities);
 				}
 			};

oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java

@@ -21,9 +21,9 @@ import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.security.Principal;
 import java.util.Base64;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
-import java.util.stream.Collectors;
 
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.source.JWKSource;
@@ -223,9 +223,10 @@ public class OidcTests {
 		Jwt idToken = this.jwtDecoder.decode((String) accessTokenResponse.getAdditionalParameters().get(OidcParameterNames.ID_TOKEN));
 		List<String> authoritiesClaim = idToken.getClaim(AUTHORITIES_CLAIM);
 		Authentication principal = authorization.getAttribute(Principal.class.getName());
-		Set<String> userAuthorities = principal.getAuthorities().stream()
+		Set<String> userAuthorities = new HashSet<>();
-				.map(GrantedAuthority::getAuthority)
+		for (GrantedAuthority authority : principal.getAuthorities()) {
-				.collect(Collectors.toSet());
+			userAuthorities.add(authority.getAuthority());
+		}
 		assertThat(authoritiesClaim).containsExactlyInAnyOrderElementsOf(userAuthorities);
 	}
 
@@ -304,9 +305,10 @@ public class OidcTests {
 			return context -> {
 				if (context.getTokenType().getValue().equals(OidcParameterNames.ID_TOKEN)) {
 					Authentication principal = context.getPrincipal();
-					Set<String> authorities = principal.getAuthorities().stream()
+					Set<String> authorities = new HashSet<>();
-							.map(GrantedAuthority::getAuthority)
+					for (GrantedAuthority authority : principal.getAuthorities()) {
-							.collect(Collectors.toSet());
+						authorities.add(authority.getAuthority());
+					}
 					context.getClaims().claim(AUTHORITIES_CLAIM, authorities);
 				}
 			};

samples/boot/oauth2-integration/authorizationserver-custom-consent-page/src/main/java/sample/web/AuthorizationConsentController.java

@@ -21,7 +21,6 @@ import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
-import java.util.stream.Collectors;
 
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent;
@@ -84,10 +83,12 @@ public class AuthorizationConsentController {
 	}
 
 	private static Set<ScopeWithDescription> withDescription(Set<String> scopes) {
-		return scopes
+		Set<ScopeWithDescription> scopeWithDescriptions = new HashSet<>();
-				.stream()
+		for (String scope : scopes) {
-				.map(ScopeWithDescription::new)
+			scopeWithDescriptions.add(new ScopeWithDescription(scope));
-				.collect(Collectors.toSet());
+
+		}
+		return scopeWithDescriptions;
 	}
 
 	public static class ScopeWithDescription {