GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Allow authentication details to be set by converter 

Prevent JwtAuthenticationProvider from setting authentication details
when jwtAuthenticationConverter returned an authentication instance
with non null details.

Closes gh-11822
pull/12438/head
ch4mpy 3 years ago committed by Steve Riesenberg
parent
c2d0ea3694
commit
7ad4ebd07a
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
2 changed files with 39 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProvider.java
  2. 35
      oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProviderTests.java

5
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProvider.java
Unescape View File

@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -56,6 +56,7 @@ import org.springframework.util.Assert; @@ -56,6 +56,7 @@ import org.springframework.util.Assert;
*
* @author Josh Cummings
* @author Joe Grandja
* @author Jerome Wacongne ch4mp@c4-soft.com
* @since 5.1
* @see AuthenticationProvider
* @see JwtDecoder
@ -86,7 +87,9 @@ public final class JwtAuthenticationProvider implements AuthenticationProvider { @@ -86,7 +87,9 @@ public final class JwtAuthenticationProvider implements AuthenticationProvider {
BearerTokenAuthenticationToken bearer = (BearerTokenAuthenticationToken) authentication;
Jwt jwt = getJwt(bearer);
AbstractAuthenticationToken token = this.jwtAuthenticationConverter.convert(jwt);
if (token.getDetails() == null) {
token.setDetails(bearer.getDetails());
}
this.logger.debug("Authenticated token");
return token;
}

35
oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProviderTests.java
Unescape View File

@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -25,6 +25,7 @@ import org.mockito.Mock; @@ -25,6 +25,7 @@ import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.jwt.BadJwtException;
@ -43,12 +44,13 @@ import static org.mockito.Mockito.mock; @@ -43,12 +44,13 @@ import static org.mockito.Mockito.mock;
* Tests for {@link JwtAuthenticationProvider}
*
* @author Josh Cummings
* @author Jerome Wacongne ch4mp@c4-soft.com
*/
@ExtendWith(MockitoExtension.class)
public class JwtAuthenticationProviderTests {
@Mock
Converter<Jwt, JwtAuthenticationToken> jwtAuthenticationConverter;
Converter<Jwt, AbstractAuthenticationToken> jwtAuthenticationConverter;
@Mock
JwtDecoder jwtDecoder;
@ -107,6 +109,17 @@ public class JwtAuthenticationProviderTests { @@ -107,6 +109,17 @@ public class JwtAuthenticationProviderTests {
@Test
public void authenticateWhenConverterReturnsAuthenticationThenProviderPropagatesIt() {
BearerTokenAuthenticationToken token = this.authentication();
Jwt jwt = TestJwts.jwt().build();
JwtAuthenticationToken authentication = new JwtAuthenticationToken(jwt);
given(this.jwtDecoder.decode(token.getToken())).willReturn(jwt);
given(this.jwtAuthenticationConverter.convert(jwt)).willReturn(authentication);
assertThat(this.provider.authenticate(token)).isEqualTo(authentication);
}
@Test
public void authenticateWhenConverterDoesNotSetAuthenticationDetailsThenProviderSetsItWithTokenDetails() {
BearerTokenAuthenticationToken token = this.authentication();
Object details = mock(Object.class);
token.setDetails(details);
@ -121,6 +134,24 @@ public class JwtAuthenticationProviderTests { @@ -121,6 +134,24 @@ public class JwtAuthenticationProviderTests {
// @formatter:on
}
@Test
public void authenticateWhenConverterSetsAuthenticationDetailsThenProviderDoesNotOverwriteIt() {
BearerTokenAuthenticationToken token = this.authentication();
Object details = mock(Object.class);
token.setDetails(details);
Jwt jwt = TestJwts.jwt().build();
JwtAuthenticationToken authentication = new JwtAuthenticationToken(jwt);
Object expectedDetails = "To be kept as is";
authentication.setDetails(expectedDetails);
given(this.jwtDecoder.decode(token.getToken())).willReturn(jwt);
given(this.jwtAuthenticationConverter.convert(jwt)).willReturn(authentication);
// @formatter:off
assertThat(this.provider.authenticate(token))
.isEqualTo(authentication).hasFieldOrPropertyWithValue("details",
expectedDetails);
// @formatter:on
}
@Test
public void supportsWhenBearerTokenAuthenticationTokenThenReturnsTrue() {
assertThat(this.provider.supports(BearerTokenAuthenticationToken.class)).isTrue();

Write Preview
Loading…
Cancel
Save