Make AuthorizationServerContextFilter private

Closes gh-866

docs/src/docs/asciidoc/configuration-model.adoc

@@ -182,9 +182,6 @@ If the issuer identifier is not configured in `AuthorizationServerSettings.build
 [NOTE]
 The `AuthorizationServerContext` is accessible through the `AuthorizationServerContextHolder`, which associates it with the current request thread by using a `ThreadLocal`.
 
-[NOTE]
-The `AuthorizationServerContextFilter` associates the `AuthorizationServerContext` with the `AuthorizationServerContextHolder`.
-
 [[configuring-client-authentication]]
 == Configuring Client Authentication
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/AuthorizationServerContextFilter.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.oauth2.server.authorization.web;
+package org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers;
 
 import java.io.IOException;
 
@@ -39,15 +39,10 @@ import org.springframework.web.util.UriComponentsBuilder;
  * @see AuthorizationServerContextHolder
  * @see AuthorizationServerSettings
  */
-public final class AuthorizationServerContextFilter extends OncePerRequestFilter {
+final class AuthorizationServerContextFilter extends OncePerRequestFilter {
 	private final AuthorizationServerSettings authorizationServerSettings;
 
-	/**
-	 * Constructs an {@code AuthorizationServerContextFilter} using the provided parameters.
-	 *
-	 * @param authorizationServerSettings the authorization server settings
-	 */
-	public AuthorizationServerContextFilter(AuthorizationServerSettings authorizationServerSettings) {
+	AuthorizationServerContextFilter(AuthorizationServerSettings authorizationServerSettings) {
 		Assert.notNull(authorizationServerSettings, "authorizationServerSettings cannot be null");
 		this.authorizationServerSettings = authorizationServerSettings;
 	}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java

@@ -33,7 +33,6 @@ import org.springframework.security.oauth2.server.authorization.OAuth2Authorizat
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
-import org.springframework.security.oauth2.server.authorization.web.AuthorizationServerContextFilter;
 import org.springframework.security.oauth2.server.authorization.web.NimbusJwkSetEndpointFilter;
 import org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationServerMetadataEndpointFilter;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/context/AuthorizationServerContextHolder.java

@@ -15,15 +15,12 @@
  */
 package org.springframework.security.oauth2.server.authorization.context;
 
-import org.springframework.security.oauth2.server.authorization.web.AuthorizationServerContextFilter;
-
 /**
  * A holder of the {@link AuthorizationServerContext} that associates it with the current thread using a {@code ThreadLocal}.
  *
  * @author Joe Grandja
  * @since 0.2.2
  * @see AuthorizationServerContext
- * @see AuthorizationServerContextFilter
  */
 public final class AuthorizationServerContextHolder {
 	private static final ThreadLocal<AuthorizationServerContext> holder = new ThreadLocal<>();

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerMetadataTests.java

@@ -92,7 +92,7 @@ public class OAuth2AuthorizationServerMetadataTests {
 	}
 
 	@Test
-	public void requestWhenAuthorizationServerMetadataRequestAndIssuerSetThenReturnMetadataResponse() throws Exception {
+	public void requestWhenAuthorizationServerMetadataRequestAndIssuerSetThenUsed() throws Exception {
 		this.spring.register(AuthorizationServerConfiguration.class).autowire();
 
 		this.mvc.perform(get(DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI))
@@ -101,6 +101,16 @@ public class OAuth2AuthorizationServerMetadataTests {
 				.andReturn();
 	}
 
+	@Test
+	public void requestWhenAuthorizationServerMetadataRequestAndIssuerNotSetThenResolveFromRequest() throws Exception {
+		this.spring.register(AuthorizationServerConfigurationWithIssuerNotSet.class).autowire();
+
+		this.mvc.perform(get(DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI))
+				.andExpect(status().is2xxSuccessful())
+				.andExpect(jsonPath("issuer").value("http://localhost"))
+				.andReturn();
+	}
+
 	@EnableWebSecurity
 	@Import(OAuth2AuthorizationServerConfiguration.class)
 	static class AuthorizationServerConfiguration {
@@ -129,4 +139,14 @@ public class OAuth2AuthorizationServerMetadataTests {
 		}
 	}
 
+	@EnableWebSecurity
+	@Import(OAuth2AuthorizationServerConfiguration.class)
+	static class AuthorizationServerConfigurationWithIssuerNotSet extends AuthorizationServerConfiguration {
+
+		@Bean
+		AuthorizationServerSettings authorizationServerSettings() {
+			return AuthorizationServerSettings.builder().build();
+		}
+	}
+
 }

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/AuthorizationServerContextFilterTests.java

@@ -1,101 +0,0 @@
-/*
- * Copyright 2020-2022 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.oauth2.server.authorization.web;
-
-import javax.servlet.FilterChain;
-
-import org.junit.After;
-import org.junit.Test;
-
-import org.springframework.mock.web.MockHttpServletRequest;
-import org.springframework.mock.web.MockHttpServletResponse;
-import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContext;
-import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
-import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
-
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.assertj.core.api.Assertions.assertThatThrownBy;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.doAnswer;
-import static org.mockito.Mockito.mock;
-
-/**
- * Tests for {@link AuthorizationServerContextFilter}.
- *
- * @author Joe Grandja
- */
-public class AuthorizationServerContextFilterTests {
-
-	@After
-	public void cleanup() {
-		AuthorizationServerContextHolder.resetContext();
-	}
-
-	@Test
-	public void constructorWhenAuthorizationServerSettingsNullThenThrowIllegalArgumentException() {
-		assertThatThrownBy(() -> new AuthorizationServerContextFilter(null))
-				.isInstanceOf(IllegalArgumentException.class)
-				.hasMessage("authorizationServerSettings cannot be null");
-	}
-
-	@Test
-	public void doFilterWhenIssuerConfiguredThenUsed() throws Exception {
-		String issuer = "https://provider.com";
-		AuthorizationServerSettings authorizationServerSettings = AuthorizationServerSettings.builder().issuer(issuer).build();
-		AuthorizationServerContextFilter filter = new AuthorizationServerContextFilter(authorizationServerSettings);
-
-		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/");
-		request.setServletPath("/");
-		MockHttpServletResponse response = new MockHttpServletResponse();
-		FilterChain filterChain = mock(FilterChain.class);
-
-		doAnswer(invocation -> {
-			AuthorizationServerContext authorizationServerContext = AuthorizationServerContextHolder.getContext();
-			assertThat(authorizationServerContext).isNotNull();
-			assertThat(authorizationServerContext.getAuthorizationServerSettings()).isSameAs(authorizationServerSettings);
-			assertThat(authorizationServerContext.getIssuer()).isEqualTo(issuer);
-			return null;
-		}).when(filterChain).doFilter(any(), any());
-
-		filter.doFilter(request, response, filterChain);
-
-		assertThat(AuthorizationServerContextHolder.getContext()).isNull();
-	}
-
-	@Test
-	public void doFilterWhenIssuerNotConfiguredThenResolveFromRequest() throws Exception {
-		AuthorizationServerSettings authorizationServerSettings = AuthorizationServerSettings.builder().build();
-		AuthorizationServerContextFilter filter = new AuthorizationServerContextFilter(authorizationServerSettings);
-
-		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/");
-		request.setServletPath("/");
-		MockHttpServletResponse response = new MockHttpServletResponse();
-		FilterChain filterChain = mock(FilterChain.class);
-
-		doAnswer(invocation -> {
-			AuthorizationServerContext authorizationServerContext = AuthorizationServerContextHolder.getContext();
-			assertThat(authorizationServerContext).isNotNull();
-			assertThat(authorizationServerContext.getAuthorizationServerSettings()).isSameAs(authorizationServerSettings);
-			assertThat(authorizationServerContext.getIssuer()).isEqualTo("http://localhost");
-			return null;
-		}).when(filterChain).doFilter(any(), any());
-
-		filter.doFilter(request, response, filterChain);
-
-		assertThat(AuthorizationServerContextHolder.getContext()).isNull();
-	}
-
-}