mirror of
https://github.com/spring-projects/spring-boot.git
synced 2026-05-02 19:30:23 +01:00
Andy Wilkinson
c3e51d32b8
A change in Spring Security [1] means that type validation is now performed by default by Spring Security. A breaking side-effect of this is that setting validateTypes to false no longer has an effect and the default JwtTypeValidator is still present. Its presence, wrapped in a DelegatingOAuth2TokenValidator, prevents a user's JwtTypeValidator bean from being used for type validation. This commit updates Boot's auto-configuration to change how the type validators are created. We avoid wrapping in a DelegatingOAuth2TokenValidator so that the user's custom JwtTypeValidator can be detected and used in place of the default. This requires us to create the JwtIssuerValidator rather than using the createDefaultWithIssuer method as it does not allow additional validators to be provided. Fixes gh-48301 [1] https://github.com/spring-projects/spring-security/commit/6d3b54df21ec0cffc30c8b3e0784220bd117a87d