Merge 9c45ace88e into 0d5f42f852

6 days ago · b888860406
2 changed files with 49 additions and 11 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
@ -282,8 +282,11 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
				@@ -282,8 +282,11 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<

 	@Override
 	public void configure(H http) {
+		// Use the authenticationManagerResolver if configured, as it takes precedence
+		// over any jwt() or opaqueToken() configuration
 		AuthenticationManagerResolver resolver = this.authenticationManagerResolver;
 		if (resolver == null) {
+			// Fall back to jwt() or opaqueToken() configuration
 			AuthenticationManager authenticationManager = getAuthenticationManager(http);
 			resolver = (request) -> authenticationManager;
 		}
@ -320,11 +323,9 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
				@@ -320,11 +323,9 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 			Assert.state(this.jwtConfigurer == null || this.opaqueTokenConfigurer == null,
 					"Spring Security only supports JWTs or Opaque Tokens, not both at the " + "same time.");
 		}
-		else {
-			Assert.state(this.jwtConfigurer == null && this.opaqueTokenConfigurer == null,
-					"If an authenticationManagerResolver() is configured, then it takes "
-							+ "precedence over any jwt() or opaqueToken() configuration.");
-		}
+		// When authenticationManagerResolver is configured, it takes precedence over
+		// jwt() or opaqueToken()
+		// configuration, so no validation is needed for that case
 	}

 	private void registerDefaultAccessDeniedHandler(H http) {
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
@ -1339,10 +1339,18 @@ public class OAuth2ResourceServerConfigurerTests {
				@@ -1339,10 +1339,18 @@ public class OAuth2ResourceServerConfigurerTests {
 	}

 	@Test
-	public void configureWhenUsingBothAuthenticationManagerResolverAndOpaqueThenWiringException() {
-		assertThatExceptionOfType(BeanCreationException.class)
-			.isThrownBy(() -> this.spring.register(AuthenticationManagerResolverPlusOtherConfig.class).autowire())
-			.withMessageContaining("authenticationManagerResolver");
+	public void configureWhenUsingBothAuthenticationManagerResolverAndOpaqueThenAuthenticationManagerResolverTakesPrecedence() {
+		// authenticationManagerResolver should take precedence over opaqueToken
+		// configuration
+		this.spring.register(AuthenticationManagerResolverPlusOtherConfig.class).autowire();
+		// No exception should be thrown
+	}
+
+	@Test
+	public void configureWhenUsingBothAuthenticationManagerResolverAndJwtThenAuthenticationManagerResolverTakesPrecedence() {
+		// authenticationManagerResolver should take precedence over jwt configuration
+		this.spring.register(AuthenticationManagerResolverPlusJwtConfig.class).autowire();
+		// No exception should be thrown
 	}

 	@Test
@ -2605,6 +2613,11 @@ public class OAuth2ResourceServerConfigurerTests {
				@@ -2605,6 +2613,11 @@ public class OAuth2ResourceServerConfigurerTests {
 	@EnableWebSecurity
 	static class AuthenticationManagerResolverPlusOtherConfig {

+		@Bean
+		OpaqueTokenIntrospector opaqueTokenIntrospector() {
+			return mock(OpaqueTokenIntrospector.class);
+		}
+
 		@Bean
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
@ -2612,8 +2625,8 @@ public class OAuth2ResourceServerConfigurerTests {
				@@ -2612,8 +2625,8 @@ public class OAuth2ResourceServerConfigurerTests {
 				.authorizeHttpRequests((requests) -> requests
 					.anyRequest().authenticated())
 				.oauth2ResourceServer((server) -> server
-					.authenticationManagerResolver(mock(AuthenticationManagerResolver.class))
-					.opaqueToken(Customizer.withDefaults()));
+					.opaqueToken(Customizer.withDefaults())
+					.authenticationManagerResolver(mock(AuthenticationManagerResolver.class)));
 			return http.build();
 			// @formatter:on
 		}
@ -2793,4 +2806,28 @@ public class OAuth2ResourceServerConfigurerTests {
				@@ -2793,4 +2806,28 @@ public class OAuth2ResourceServerConfigurerTests {

 	}

+	@Configuration
+	@EnableWebSecurity
+	static class AuthenticationManagerResolverPlusJwtConfig {
+
+		@Bean
+		JwtDecoder jwtDecoder() {
+			return mock(JwtDecoder.class);
+		}
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.authorizeHttpRequests((requests) -> requests
+					.anyRequest().authenticated())
+				.oauth2ResourceServer((server) -> server
+					.jwt(Customizer.withDefaults())
+					.authenticationManagerResolver(mock(AuthenticationManagerResolver.class)));
+			return http.build();
+			// @formatter:on
+		}
+
+	}
+
 }