Polish gh-11665

Author: Steve Riesenberg

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java

@@ -21,12 +21,10 @@
 import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.Map;
-import java.util.Optional;
 import java.util.function.Supplier;
 
 import javax.servlet.http.HttpServletRequest;
 
-import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.http.MediaType;
@@ -460,7 +458,7 @@ public class OpaqueTokenConfigurer {
 
 		private Supplier<OpaqueTokenIntrospector> introspector;
 
-		private Supplier<OpaqueTokenAuthenticationConverter> authenticationConverter;
+		private OpaqueTokenAuthenticationConverter authenticationConverter;
 
 		OpaqueTokenConfigurer(ApplicationContext context) {
 			this.context = context;
@@ -499,7 +497,7 @@ public OpaqueTokenConfigurer introspector(OpaqueTokenIntrospector introspector)
 		public OpaqueTokenConfigurer authenticationConverter(
 				OpaqueTokenAuthenticationConverter authenticationConverter) {
 			Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
-			this.authenticationConverter = () -> authenticationConverter;
+			this.authenticationConverter = authenticationConverter;
 			return this;
 		}
 
@@ -510,26 +508,27 @@ OpaqueTokenIntrospector getIntrospector() {
 			return this.context.getBean(OpaqueTokenIntrospector.class);
 		}
 
-		Optional<OpaqueTokenAuthenticationConverter> getAuthenticationConverter() {
+		OpaqueTokenAuthenticationConverter getAuthenticationConverter() {
 			if (this.authenticationConverter != null) {
-				return Optional.of(this.authenticationConverter.get());
+				return this.authenticationConverter;
 			}
-			try {
-				return Optional.of(this.context.getBean(OpaqueTokenAuthenticationConverter.class));
-			}
-			catch (NoSuchBeanDefinitionException nsbde) {
-				return Optional.empty();
+			if (this.context.getBeanNamesForType(OpaqueTokenAuthenticationConverter.class).length > 0) {
+				return this.context.getBean(OpaqueTokenAuthenticationConverter.class);
 			}
+			return null;
 		}
 
 		AuthenticationProvider getAuthenticationProvider() {
 			if (this.authenticationManager != null) {
 				return null;
 			}
 			OpaqueTokenIntrospector introspector = getIntrospector();
-			final OpaqueTokenAuthenticationProvider opaqueTokenAuthenticationProvider = new OpaqueTokenAuthenticationProvider(
+			OpaqueTokenAuthenticationProvider opaqueTokenAuthenticationProvider = new OpaqueTokenAuthenticationProvider(
 					introspector);
-			getAuthenticationConverter().ifPresent(opaqueTokenAuthenticationProvider::setAuthenticationConverter);
+			OpaqueTokenAuthenticationConverter authenticationConverter = getAuthenticationConverter();
+			if (authenticationConverter != null) {
+				opaqueTokenAuthenticationProvider.setAuthenticationConverter(authenticationConverter);
+			}
 			return opaqueTokenAuthenticationProvider;
 		}
 

config/src/main/java/org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParser.java

@@ -252,6 +252,7 @@ static final class OpaqueTokenBeanDefinitionParser implements BeanDefinitionPars
 		static final String CLIENT_SECRET = "client-secret";
 
 		static final String AUTHENTICATION_CONVERTER_REF = "authentication-converter-ref";
+
 		static final String AUTHENTICATION_CONVERTER = "authenticationConverter";
 
 		OpaqueTokenBeanDefinitionParser() {
@@ -266,8 +267,7 @@ public BeanDefinition parse(Element element, ParserContext pc) {
 					.rootBeanDefinition(OpaqueTokenAuthenticationProvider.class);
 			opaqueTokenProviderBuilder.addConstructorArgValue(introspector);
 			if (StringUtils.hasText(authenticationConverterRef)) {
-				opaqueTokenProviderBuilder.addPropertyValue(AUTHENTICATION_CONVERTER,
-						new RuntimeBeanReference(authenticationConverterRef));
+				opaqueTokenProviderBuilder.addPropertyReference(AUTHENTICATION_CONVERTER, authenticationConverterRef);
 			}
 			return opaqueTokenProviderBuilder.getBeanDefinition();
 		}

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,7 +27,6 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Optional;
 import java.util.UUID;
 import java.util.function.Function;
 import java.util.function.Supplier;
@@ -36,7 +35,6 @@
 import reactor.util.context.Context;
 
 import org.springframework.beans.BeansException;
-import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.core.Ordered;
 import org.springframework.core.ResolvableType;
@@ -4286,7 +4284,7 @@ public final class OpaqueTokenSpec {
 
 			private Supplier<ReactiveOpaqueTokenIntrospector> introspector;
 
-			private Supplier<ReactiveOpaqueTokenAuthenticationConverter> authenticationConverter;
+			private ReactiveOpaqueTokenAuthenticationConverter authenticationConverter;
 
 			private OpaqueTokenSpec() {
 			}
@@ -4329,7 +4327,7 @@ public OpaqueTokenSpec introspector(ReactiveOpaqueTokenIntrospector introspector
 			public OpaqueTokenSpec authenticationConverter(
 					ReactiveOpaqueTokenAuthenticationConverter authenticationConverter) {
 				Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
-				this.authenticationConverter = () -> authenticationConverter;
+				this.authenticationConverter = authenticationConverter;
 				return this;
 			}
 
@@ -4343,10 +4341,12 @@ public OAuth2ResourceServerSpec and() {
 			}
 
 			protected ReactiveAuthenticationManager getAuthenticationManager() {
-				final OpaqueTokenReactiveAuthenticationManager authenticationManager = new OpaqueTokenReactiveAuthenticationManager(
+				OpaqueTokenReactiveAuthenticationManager authenticationManager = new OpaqueTokenReactiveAuthenticationManager(
 						getIntrospector());
-				Optional.ofNullable(getAuthenticationConverter())
-						.ifPresent(authenticationManager::setAuthenticationConverter);
+				ReactiveOpaqueTokenAuthenticationConverter authenticationConverter = getAuthenticationConverter();
+				if (authenticationConverter != null) {
+					authenticationManager.setAuthenticationConverter(authenticationConverter);
+				}
 				return authenticationManager;
 			}
 
@@ -4359,14 +4359,9 @@ protected ReactiveOpaqueTokenIntrospector getIntrospector() {
 
 			protected ReactiveOpaqueTokenAuthenticationConverter getAuthenticationConverter() {
 				if (this.authenticationConverter != null) {
-					return this.authenticationConverter.get();
-				}
-				try {
-					return getBean(ReactiveOpaqueTokenAuthenticationConverter.class);
-				}
-				catch (NoSuchBeanDefinitionException nsbde) {
-					return null;
+					return this.authenticationConverter;
 				}
+				return getBeanOrNull(ReactiveOpaqueTokenAuthenticationConverter.class);
 			}
 
 			protected void configure(ServerHttpSecurity http) {

config/src/main/kotlin/org/springframework/security/config/web/server/ServerOpaqueTokenDsl.kt

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,29 +31,22 @@ import org.springframework.security.oauth2.server.resource.introspection.Reactiv
 class ServerOpaqueTokenDsl {
     private var _introspectionUri: String? = null
     private var _introspector: ReactiveOpaqueTokenIntrospector? = null
-    private var _authenticationConverter: ReactiveOpaqueTokenAuthenticationConverter? = null
     private var clientCredentials: Pair<String, String>? = null
 
     var introspectionUri: String?
         get() = _introspectionUri
         set(value) {
             _introspectionUri = value
             _introspector = null
-            _authenticationConverter = null
         }
     var introspector: ReactiveOpaqueTokenIntrospector?
         get() = _introspector
         set(value) {
             _introspector = value
-            _authenticationConverter = null
             _introspectionUri = null
             clientCredentials = null
         }
-    var authenticationConverter: ReactiveOpaqueTokenAuthenticationConverter?
-        get() = _authenticationConverter
-        set(value) {
-            _authenticationConverter = value
-        }
+    var authenticationConverter: ReactiveOpaqueTokenAuthenticationConverter? = null
 
     /**
      * Configures the credentials for Introspection endpoint.
@@ -64,7 +57,6 @@ class ServerOpaqueTokenDsl {
     fun introspectionClientCredentials(clientId: String, clientSecret: String) {
         clientCredentials = Pair(clientId, clientSecret)
         _introspector = null
-        _authenticationConverter = null
     }
 
     internal fun get(): (ServerHttpSecurity.OAuth2ResourceServerSpec.OpaqueTokenSpec) -> Unit {

config/src/main/kotlin/org/springframework/security/config/web/servlet/oauth2/resourceserver/OpaqueTokenDsl.kt

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,7 +38,6 @@ class OpaqueTokenDsl {
     private var _introspectionUri: String? = null
     private var _introspector: OpaqueTokenIntrospector? = null
     private var clientCredentials: Pair<String, String>? = null
-    private var _authenticationConverter: OpaqueTokenAuthenticationConverter? = null
 
     var authenticationManager: AuthenticationManager? = null
 
@@ -56,11 +55,7 @@ class OpaqueTokenDsl {
             clientCredentials = null
         }
 
-    var authenticationConverter: OpaqueTokenAuthenticationConverter?
-        get() = _authenticationConverter
-        set(value) {
-            _authenticationConverter = value
-        }
+    var authenticationConverter: OpaqueTokenAuthenticationConverter? = null
 
     /**
      * Configures the credentials for Introspection endpoint.

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java

@@ -82,6 +82,7 @@
 import org.springframework.security.authentication.AuthenticationManagerResolver;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
@@ -103,6 +104,7 @@
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
 import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
+import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2TokenValidator;
@@ -121,6 +123,7 @@
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver;
 import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector;
+import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter;
@@ -1387,6 +1390,22 @@ public void getJwtAuthenticationConverterWhenDuplicateConverterBeansThenThrowsEx
 				.isThrownBy(jwtConfigurer::getJwtAuthenticationConverter);
 	}
 
+	@Test
+	public void getWhenCustomAuthenticationConverterThenConverts() throws Exception {
+		this.spring.register(RestOperationsConfig.class, OpaqueTokenAuthenticationConverterConfig.class,
+				BasicController.class).autowire();
+		OpaqueTokenAuthenticationConverter authenticationConverter = this.spring.getContext()
+				.getBean(OpaqueTokenAuthenticationConverter.class);
+		given(authenticationConverter.convert(anyString(), any(OAuth2AuthenticatedPrincipal.class)))
+				.willReturn(new TestingAuthenticationToken("jdoe", null, Collections.emptyList()));
+		mockRestOperations(json("Active"));
+		// @formatter:off
+		this.mvc.perform(get("/authenticated").with(bearerToken("token")))
+				.andExpect(status().isOk())
+				.andExpect(content().string("jdoe"));
+		// @formatter:on
+	}
+
 	private static <T> void registerMockBean(GenericApplicationContext context, String name, Class<T> clazz) {
 		context.registerBean(name, clazz, () -> mock(clazz));
 	}
@@ -2441,6 +2460,30 @@ protected void configure(HttpSecurity http) throws Exception {
 
 	}
 
+	@EnableWebSecurity
+	static class OpaqueTokenAuthenticationConverterConfig extends WebSecurityConfigurerAdapter {
+
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+					.authorizeRequests()
+					.antMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
+					.anyRequest().authenticated()
+					.and()
+					.oauth2ResourceServer()
+					.opaqueToken()
+					.authenticationConverter(authenticationConverter());
+			// @formatter:on
+		}
+
+		@Bean
+		OpaqueTokenAuthenticationConverter authenticationConverter() {
+			return mock(OpaqueTokenAuthenticationConverter.class);
+		}
+
+	}
+
 	@Configuration
 	static class JwtDecoderConfig {