From b471dd1c547701a8e63e7d85db13482adbdc9e8e Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Sat, 28 Oct 2017 21:40:33 -0400 Subject: [PATCH] Remove OAuth2TokenRepository Fixes gh-4727 --- .../oauth2/client/OAuth2LoginConfigurer.java | 13 ---- .../token/InMemoryAccessTokenRepository.java | 66 ------------------- .../client/token/OAuth2TokenRepository.java | 42 ------------ .../web/OAuth2LoginAuthenticationFilter.java | 16 +---- 4 files changed, 1 insertion(+), 136 deletions(-) delete mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/token/InMemoryAccessTokenRepository.java delete mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/token/OAuth2TokenRepository.java diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java index 813042fc7f..89bb0d9e26 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java @@ -34,7 +34,6 @@ import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest; import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService; import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; -import org.springframework.security.oauth2.client.token.OAuth2TokenRepository; import org.springframework.security.oauth2.client.userinfo.CustomUserTypesOAuth2UserService; import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService; import org.springframework.security.oauth2.client.userinfo.DelegatingOAuth2UserService; @@ -43,7 +42,6 @@ import org.springframework.security.oauth2.client.userinfo.OAuth2UserService; import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository; import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter; import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter; -import org.springframework.security.oauth2.core.OAuth2AccessToken; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; import org.springframework.security.oauth2.core.oidc.user.OidcUser; import org.springframework.security.oauth2.core.user.OAuth2User; @@ -136,7 +134,6 @@ public final class OAuth2LoginConfigurer> exten public class TokenEndpointConfig { private AuthorizationGrantTokenExchanger authorizationCodeTokenExchanger; - private OAuth2TokenRepository accessTokenRepository; private JwtDecoderRegistry jwtDecoderRegistry; private TokenEndpointConfig() { @@ -150,12 +147,6 @@ public final class OAuth2LoginConfigurer> exten return this; } - public TokenEndpointConfig accessTokenRepository(OAuth2TokenRepository accessTokenRepository) { - Assert.notNull(accessTokenRepository, "accessTokenRepository cannot be null"); - this.accessTokenRepository = accessTokenRepository; - return this; - } - public TokenEndpointConfig jwtDecoderRegistry(JwtDecoderRegistry jwtDecoderRegistry) { Assert.notNull(jwtDecoderRegistry, "jwtDecoderRegistry cannot be null"); this.jwtDecoderRegistry = jwtDecoderRegistry; @@ -301,10 +292,6 @@ public final class OAuth2LoginConfigurer> exten this.authorizationEndpointConfig.authorizationRequestRepository); } authorizationResponseFilter.setAuthorizedClientService(this.getAuthorizedClientService()); - if (this.tokenEndpointConfig.accessTokenRepository != null) { - authorizationResponseFilter.setAccessTokenRepository( - this.tokenEndpointConfig.accessTokenRepository); - } super.configure(http); } diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/token/InMemoryAccessTokenRepository.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/token/InMemoryAccessTokenRepository.java deleted file mode 100644 index 11def3a097..0000000000 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/token/InMemoryAccessTokenRepository.java +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright 2002-2017 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.springframework.security.oauth2.client.token; - -import org.springframework.security.core.Authentication; -import org.springframework.security.oauth2.client.registration.ClientRegistration; -import org.springframework.security.oauth2.core.OAuth2AccessToken; -import org.springframework.util.Assert; - -import java.util.Base64; -import java.util.Map; -import java.util.concurrent.ConcurrentHashMap; - -/** - * An in-memory {@link OAuth2TokenRepository} for {@link OAuth2AccessToken}'s. - * - * @author Joe Grandja - * @since 5.0 - * @see OAuth2TokenRepository - * @see OAuth2AccessToken - * @see ClientRegistration - * @see Authentication - */ -public final class InMemoryAccessTokenRepository implements OAuth2TokenRepository { - private final Map accessTokens = new ConcurrentHashMap<>(); - - @Override - public OAuth2AccessToken loadToken(ClientRegistration registration, Authentication principal) { - Assert.notNull(registration, "registration cannot be null"); - Assert.notNull(principal, "principal cannot be null"); - return this.accessTokens.get(this.getIdentifier(registration, principal)); - } - - @Override - public void saveToken(OAuth2AccessToken accessToken, ClientRegistration registration, Authentication principal) { - Assert.notNull(accessToken, "accessToken cannot be null"); - Assert.notNull(registration, "registration cannot be null"); - Assert.notNull(principal, "principal cannot be null"); - this.accessTokens.put(this.getIdentifier(registration, principal), accessToken); - } - - @Override - public OAuth2AccessToken removeToken(ClientRegistration registration, Authentication principal) { - Assert.notNull(registration, "registration cannot be null"); - Assert.notNull(principal, "principal cannot be null"); - return this.accessTokens.remove(this.getIdentifier(registration, principal)); - } - - private String getIdentifier(ClientRegistration registration, Authentication principal) { - String identifier = "[" + registration.getRegistrationId() + "][" + principal.getName() + "]"; - return Base64.getEncoder().encodeToString(identifier.getBytes()); - } -} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/token/OAuth2TokenRepository.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/token/OAuth2TokenRepository.java deleted file mode 100644 index f1e47d1346..0000000000 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/token/OAuth2TokenRepository.java +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright 2002-2017 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.springframework.security.oauth2.client.token; - -import org.springframework.security.core.Authentication; -import org.springframework.security.oauth2.client.registration.ClientRegistration; -import org.springframework.security.oauth2.core.AbstractOAuth2Token; - -/** - * Implementations of this interface are responsible for the persistence - * and association of an {@link AbstractOAuth2Token OAuth 2.0 Token} - * to a {@link ClientRegistration Client} and Resource Owner, - * which is the {@link Authentication Principal} who originally granted the authorization. - * - * @author Joe Grandja - * @since 5.0 - * @see AbstractOAuth2Token - * @see ClientRegistration - * @see Authentication - */ -public interface OAuth2TokenRepository { - - T loadToken(ClientRegistration registration, Authentication principal); - - void saveToken(T token, ClientRegistration registration, Authentication principal); - - T removeToken(ClientRegistration registration, Authentication principal); - -} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2LoginAuthenticationFilter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2LoginAuthenticationFilter.java index 8053d30f22..5b6f15b8b8 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2LoginAuthenticationFilter.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2LoginAuthenticationFilter.java @@ -25,9 +25,6 @@ import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuth import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken; import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; -import org.springframework.security.oauth2.client.token.InMemoryAccessTokenRepository; -import org.springframework.security.oauth2.client.token.OAuth2TokenRepository; -import org.springframework.security.oauth2.core.OAuth2AccessToken; import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.core.OAuth2ErrorCodes; @@ -76,7 +73,7 @@ import java.io.IOException; * @see AuthorizationRequestRepository * @see OAuth2AuthorizationRequestRedirectFilter * @see ClientRegistrationRepository - * @see OAuth2TokenRepository + * @see OAuth2AuthorizedClientService * @see Section 4.1 Authorization Code Grant * @see Section 4.1.2 Authorization Response */ @@ -87,7 +84,6 @@ public class OAuth2LoginAuthenticationFilter extends AbstractAuthenticationProce private OAuth2AuthorizedClientService authorizedClientService; private AuthorizationRequestRepository authorizationRequestRepository = new HttpSessionOAuth2AuthorizationRequestRepository(); - private OAuth2TokenRepository accessTokenRepository = new InMemoryAccessTokenRepository(); public OAuth2LoginAuthenticationFilter() { this(DEFAULT_FILTER_PROCESSES_URI); @@ -144,11 +140,6 @@ public class OAuth2LoginAuthenticationFilter extends AbstractAuthenticationProce this.authorizedClientService.saveAuthorizedClient( authorizedClient, oauth2Authentication); - this.accessTokenRepository.saveToken( - authorizedClient.getAccessToken(), - authorizedClient.getClientRegistration(), - oauth2Authentication); - return oauth2Authentication; } @@ -167,11 +158,6 @@ public class OAuth2LoginAuthenticationFilter extends AbstractAuthenticationProce this.authorizationRequestRepository = authorizationRequestRepository; } - public final void setAccessTokenRepository(OAuth2TokenRepository accessTokenRepository) { - Assert.notNull(accessTokenRepository, "accessTokenRepository cannot be null"); - this.accessTokenRepository = accessTokenRepository; - } - private OAuth2AuthorizationResponse convert(HttpServletRequest request) { String code = request.getParameter(OAuth2ParameterNames.CODE); String errorCode = request.getParameter(OAuth2ParameterNames.ERROR);