A change in Spring Security [1] means that type validation is now
performed by default by Spring Security. A breaking side-effect of
this is that setting validateTypes to false no longer has an effect
and the default JwtTypeValidator is still present. Its presence,
wrapped in a DelegatingOAuth2TokenValidator, prevents a user's
JwtTypeValidator bean from being used for type validation.
This commit updates Boot's auto-configuration to change how the
type validators are created. We avoid wrapping in a
DelegatingOAuth2TokenValidator so that the user's custom
JwtTypeValidator can be detected and used in place of the default.
This requires us to create the JwtIssuerValidator rather than using
the createDefaultWithIssuer method as it does not allow additional
validators to be provided.
Fixes gh-48301
[1] 6d3b54df21
Andy Wilkinson
c3e51d32b8