Polish JwtGrantedAuthoritiesConverter

Rework the implementation so that it is clearer that authorities are derived from a single claim. Issue: gh-6273
6 years ago · d843818e48
1 changed files with 34 additions and 25 deletions
--- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtGrantedAuthoritiesConverter.java
+++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtGrantedAuthoritiesConverter.java
@ -16,10 +16,10 @@
 package org.springframework.security.oauth2.server.resource.authentication;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.stream.Collectors;
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.core.GrantedAuthority;
@ -35,42 +35,51 @@ import org.springframework.util.StringUtils;
 * @since 5.2
 */
 public final class JwtGrantedAuthoritiesConverter implements Converter<Jwt, Collection<GrantedAuthority>> {
-	private static final String SCOPE_AUTHORITY_PREFIX = "SCOPE_";
+	private static final String DEFAULT_AUTHORITY_PREFIX = "SCOPE_";
-	private static final Collection<String> WELL_KNOWN_SCOPE_ATTRIBUTE_NAMES =
+	private static final Collection<String> WELL_KNOWN_AUTHORITIES_CLAIM_NAMES =
 			Arrays.asList("scope", "scp");
 	/**
-	 * Extracts the authorities
+	 * Extract {@link GrantedAuthority}s from the given {@link Jwt}.
 	 *
 	 * @param jwt The {@link Jwt} token
 	 * @return The {@link GrantedAuthority authorities} read from the token scopes
 	 */
 	@Override
 	public Collection<GrantedAuthority> convert(Jwt jwt) {
-		return getScopes(jwt)
+		Collection<GrantedAuthority> grantedAuthorities = new ArrayList<>();
-				.stream()
+		for (String authority : getAuthorities(jwt)) {
-				.map(authority -> SCOPE_AUTHORITY_PREFIX + authority)
+			grantedAuthorities.add(new SimpleGrantedAuthority(DEFAULT_AUTHORITY_PREFIX + authority));
-				.map(SimpleGrantedAuthority::new)
+		}
-				.collect(Collectors.toList());
+		return grantedAuthorities;
 	}
-	/**
+	private String getAuthoritiesClaimName(Jwt jwt) {
-	 * Gets the scopes from a {@link Jwt} token
+		for (String claimName : WELL_KNOWN_AUTHORITIES_CLAIM_NAMES) {
-	 * @param jwt The {@link Jwt} token
+			if (jwt.containsClaim(claimName)) {
-	 * @return The scopes from the token
+				return claimName;
-	 */
+			}
-	private Collection<String> getScopes(Jwt jwt) {
+		}
-		for ( String attributeName : WELL_KNOWN_SCOPE_ATTRIBUTE_NAMES ) {
+		return null;
-			Object scopes = jwt.getClaims().get(attributeName);
+	}
-			if (scopes instanceof String) {
+
-				if (StringUtils.hasText((String) scopes)) {
+	private Collection<String> getAuthorities(Jwt jwt) {
-					return Arrays.asList(((String) scopes).split(" "));
+		String claimName = getAuthoritiesClaimName(jwt);
-				} else {
+
-					return Collections.emptyList();
+		if (claimName == null) {
-				}
+			return Collections.emptyList();
-			} else if (scopes instanceof Collection) {
+		}
-				return (Collection<String>) scopes;
+
 		Object authorities = jwt.getClaim(claimName);
 		if (authorities instanceof String) {
 			if (StringUtils.hasText((String) authorities)) {
 				return Arrays.asList(((String) authorities).split(" "));
 			} else {
 				return Collections.emptyList();
 			}
 		} else if (authorities instanceof Collection) {
 			return (Collection<String>) authorities;
 		}
 		return Collections.emptyList();