Merge branch 'master' of https://github.com/spring-projects/spring-security into spring-projectsgh-7791

Author: sdratler1

.github/workflows/pr-build-workflow.yml

@@ -1,9 +1,6 @@
 name: PR Build
 
-on:
-  pull_request:
-    branches:
-      - master
+on: pull_request
 
 jobs:
   build:

.travis.yml

@@ -89,7 +89,7 @@ try {
 							 "GRADLE_ENTERPRISE_CACHE_USERNAME=${GRADLE_ENTERPRISE_CACHE_USERNAME}",
 							 "GRADLE_ENTERPRISE_CACHE_PASSWORD=${GRADLE_ENTERPRISE_CACHE_PASSWORD}",
 							 "GRADLE_ENTERPRISE_ACCESS_KEY=${GRADLE_ENTERPRISE_ACCESS_KEY}"]) {
-							sh "./gradlew test -PforceMavenRepositories=snapshot -PspringVersion='5.+' -PreactorVersion=Dysprosium-BUILD-SNAPSHOT -PspringDataVersion=Lovelace-BUILD-SNAPSHOT -PlocksDisabled --stacktrace"
+							sh "./gradlew test -PforceMavenRepositories=snapshot -PspringVersion='5.+' -PreactorVersion=20+ -PspringDataVersion=Lovelace-BUILD-SNAPSHOT -PrsocketVersion=1.1.0-SNAPSHOT -PlocksDisabled --stacktrace"
 						}
 					}
 				} catch(Exception e) {

Jenkinsfile

@@ -1,7 +1,5 @@
 image::https://badges.gitter.im/Join%20Chat.svg[Gitter,link=https://gitter.im/spring-projects/spring-security?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge]
 
-image:https://travis-ci.org/spring-projects/spring-security.svg?branch=master["Build Status", link="https://travis-ci.org/spring-projects/spring-security"]
-
 = Spring Security
 
 Spring Security provides security services for the https://docs.spring.io[Spring IO Platform]. Spring Security 5.0 requires Spring 5.0 as

README.adoc

@@ -16,7 +16,7 @@
 package org.springframework.security.acls.jdbc;
 
 import java.io.Serializable;
-import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 
@@ -99,7 +99,7 @@ public List<ObjectIdentity> findChildren(ObjectIdentity parentIdentity) {
 					return new ObjectIdentityImpl(javaType, identifier);
 				});
 
-		if (objects.size() == 0) {
+		if (objects.isEmpty()) {
 			return null;
 		}
 
@@ -108,7 +108,7 @@ public List<ObjectIdentity> findChildren(ObjectIdentity parentIdentity) {
 
 	public Acl readAclById(ObjectIdentity object, List<Sid> sids)
 			throws NotFoundException {
-		Map<ObjectIdentity, Acl> map = readAclsById(Arrays.asList(object), sids);
+		Map<ObjectIdentity, Acl> map = readAclsById(Collections.singletonList(object), sids);
 		Assert.isTrue(map.containsKey(object),
 				() -> "There should have been an Acl entry for ObjectIdentity " + object);
 

acl/src/main/java/org/springframework/security/acls/jdbc/JdbcAclService.java

@@ -1,6 +1,6 @@
 buildscript {
 	dependencies {
-		classpath 'io.spring.gradle:spring-build-conventions:0.0.32.RELEASE'
+		classpath 'io.spring.gradle:spring-build-conventions:0.0.33.RELEASE'
 		classpath "org.springframework.boot:spring-boot-gradle-plugin:$springBootVersion"
 		classpath 'io.spring.nohttp:nohttp-gradle:0.0.5.RELEASE'
 		classpath "io.freefair.gradle:aspectj-plugin:5.0.1"

build.gradle

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@
 import org.springframework.context.annotation.Import;
 import org.springframework.context.annotation.ImportSelector;
 import org.springframework.core.type.AnnotationMetadata;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
@@ -33,7 +34,6 @@
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 import java.util.List;
-import java.util.Optional;
 
 /**
  * {@link Configuration} for OAuth 2.0 Client support.
@@ -67,47 +67,69 @@ static class OAuth2ClientWebMvcSecurityConfiguration implements WebMvcConfigurer
 		private ClientRegistrationRepository clientRegistrationRepository;
 		private OAuth2AuthorizedClientRepository authorizedClientRepository;
 		private OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient;
+		private OAuth2AuthorizedClientManager authorizedClientManager;
 
 		@Override
 		public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
-			if (this.clientRegistrationRepository != null && this.authorizedClientRepository != null) {
-				OAuth2AuthorizedClientProviderBuilder authorizedClientProviderBuilder =
-						OAuth2AuthorizedClientProviderBuilder.builder()
-								.authorizationCode()
-								.refreshToken()
-								.password();
-				if (this.accessTokenResponseClient != null) {
-					authorizedClientProviderBuilder.clientCredentials(configurer ->
-									configurer.accessTokenResponseClient(this.accessTokenResponseClient));
-				} else {
-					authorizedClientProviderBuilder.clientCredentials();
-				}
-				OAuth2AuthorizedClientProvider authorizedClientProvider = authorizedClientProviderBuilder.build();
-				DefaultOAuth2AuthorizedClientManager authorizedClientManager = new DefaultOAuth2AuthorizedClientManager(
-						this.clientRegistrationRepository, this.authorizedClientRepository);
-				authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
+			OAuth2AuthorizedClientManager authorizedClientManager = getAuthorizedClientManager();
+			if (authorizedClientManager != null) {
 				argumentResolvers.add(new OAuth2AuthorizedClientArgumentResolver(authorizedClientManager));
 			}
 		}
 
 		@Autowired(required = false)
-		public void setClientRegistrationRepository(List<ClientRegistrationRepository> clientRegistrationRepositories) {
+		void setClientRegistrationRepository(List<ClientRegistrationRepository> clientRegistrationRepositories) {
 			if (clientRegistrationRepositories.size() == 1) {
 				this.clientRegistrationRepository = clientRegistrationRepositories.get(0);
 			}
 		}
 
 		@Autowired(required = false)
-		public void setAuthorizedClientRepository(List<OAuth2AuthorizedClientRepository> authorizedClientRepositories) {
+		void setAuthorizedClientRepository(List<OAuth2AuthorizedClientRepository> authorizedClientRepositories) {
 			if (authorizedClientRepositories.size() == 1) {
 				this.authorizedClientRepository = authorizedClientRepositories.get(0);
 			}
 		}
 
-		@Autowired
-		public void setAccessTokenResponseClient(
-				Optional<OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>> accessTokenResponseClient) {
-			accessTokenResponseClient.ifPresent(client -> this.accessTokenResponseClient = client);
+		@Autowired(required = false)
+		void setAccessTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient) {
+			this.accessTokenResponseClient = accessTokenResponseClient;
+		}
+
+		@Autowired(required = false)
+		void setAuthorizedClientManager(List<OAuth2AuthorizedClientManager> authorizedClientManagers) {
+			if (authorizedClientManagers.size() == 1) {
+				this.authorizedClientManager = authorizedClientManagers.get(0);
+			}
+		}
+
+		private OAuth2AuthorizedClientManager getAuthorizedClientManager() {
+			if (this.authorizedClientManager != null) {
+				return this.authorizedClientManager;
+			}
+
+			OAuth2AuthorizedClientManager authorizedClientManager = null;
+			if (this.clientRegistrationRepository != null && this.authorizedClientRepository != null) {
+				if (this.accessTokenResponseClient != null) {
+					OAuth2AuthorizedClientProvider authorizedClientProvider =
+							OAuth2AuthorizedClientProviderBuilder.builder()
+									.authorizationCode()
+									.refreshToken()
+									.clientCredentials(configurer ->
+											configurer.accessTokenResponseClient(this.accessTokenResponseClient))
+									.password()
+									.build();
+					DefaultOAuth2AuthorizedClientManager defaultAuthorizedClientManager =
+							new DefaultOAuth2AuthorizedClientManager(
+									this.clientRegistrationRepository, this.authorizedClientRepository);
+					defaultAuthorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
+					authorizedClientManager = defaultAuthorizedClientManager;
+				} else {
+					authorizedClientManager = new DefaultOAuth2AuthorizedClientManager(
+							this.clientRegistrationRepository, this.authorizedClientRepository);
+				}
+			}
+			return authorizedClientManager;
 		}
 	}
 }

config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java

@@ -15,18 +15,8 @@
  */
 package org.springframework.security.config.http;
 
-import java.security.SecureRandom;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-import java.util.Map;
-import java.util.function.Function;
-import javax.servlet.http.HttpServletRequest;
-
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.w3c.dom.Element;
-
 import org.springframework.beans.BeanMetadataElement;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.config.BeanReference;
@@ -63,8 +53,18 @@
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.util.Assert;
+import org.springframework.util.ClassUtils;
 import org.springframework.util.StringUtils;
 import org.springframework.util.xml.DomUtils;
+import org.w3c.dom.Element;
+
+import javax.servlet.http.HttpServletRequest;
+import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.function.Function;
 
 import static org.springframework.security.config.http.SecurityFilters.ANONYMOUS_FILTER;
 import static org.springframework.security.config.http.SecurityFilters.BASIC_AUTH_FILTER;
@@ -160,12 +160,16 @@ final class AuthenticationConfigBuilder {
 
 	private String openIDLoginPage;
 
+	private boolean oauth2LoginEnabled;
+	private boolean defaultAuthorizedClientRepositoryRegistered;
 	private String oauth2LoginFilterId;
 	private BeanDefinition oauth2AuthorizationRequestRedirectFilter;
 	private BeanDefinition oauth2LoginEntryPoint;
 	private BeanReference oauth2LoginAuthenticationProviderRef;
 	private BeanReference oauth2LoginOidcAuthenticationProviderRef;
 	private BeanDefinition oauth2LoginLinks;
+
+	private boolean oauth2ClientEnabled;
 	private BeanDefinition authorizationRequestRedirectFilter;
 	private BeanDefinition authorizationCodeGrantFilter;
 	private BeanReference authorizationCodeAuthenticationProviderRef;
@@ -196,8 +200,7 @@ final class AuthenticationConfigBuilder {
 		createBasicFilter(authenticationManager);
 		createBearerTokenAuthenticationFilter(authenticationManager);
 		createFormLoginFilter(sessionStrategy, authenticationManager);
-		createOAuth2LoginFilter(sessionStrategy, authenticationManager);
-		createOAuth2ClientFilter(requestCache, authenticationManager);
+		createOAuth2ClientFilters(sessionStrategy, requestCache, authenticationManager);
 		createOpenIDLoginFilter(sessionStrategy, authenticationManager);
 		createX509Filter(authenticationManager);
 		createJeeFilter(authenticationManager);
@@ -274,15 +277,27 @@ void createFormLoginFilter(BeanReference sessionStrategy, BeanReference authMana
 		}
 	}
 
+	void createOAuth2ClientFilters(BeanReference sessionStrategy, BeanReference requestCache,
+			BeanReference authenticationManager) {
+		createOAuth2LoginFilter(sessionStrategy, authenticationManager);
+		createOAuth2ClientFilter(requestCache, authenticationManager);
+		registerOAuth2ClientPostProcessors();
+	}
+
 	void createOAuth2LoginFilter(BeanReference sessionStrategy, BeanReference authManager) {
 		Element oauth2LoginElt = DomUtils.getChildElementByTagName(this.httpElt, Elements.OAUTH2_LOGIN);
 		if (oauth2LoginElt == null) {
 			return;
 		}
+		this.oauth2LoginEnabled = true;
 
 		OAuth2LoginBeanDefinitionParser parser = new OAuth2LoginBeanDefinitionParser(requestCache, portMapper,
 				portResolver, sessionStrategy, allowSessionCreation);
 		BeanDefinition oauth2LoginFilterBean = parser.parse(oauth2LoginElt, this.pc);
+
+		BeanDefinition defaultAuthorizedClientRepository = parser.getDefaultAuthorizedClientRepository();
+		registerDefaultAuthorizedClientRepositoryIfNecessary(defaultAuthorizedClientRepository);
+
 		oauth2LoginFilterBean.getPropertyValues().addPropertyValue("authenticationManager", authManager);
 
 		// retrieve the other bean result
@@ -319,11 +334,15 @@ void createOAuth2ClientFilter(BeanReference requestCache, BeanReference authenti
 		if (oauth2ClientElt == null) {
 			return;
 		}
+		this.oauth2ClientEnabled = true;
 
 		OAuth2ClientBeanDefinitionParser parser = new OAuth2ClientBeanDefinitionParser(
 				requestCache, authenticationManager);
 		parser.parse(oauth2ClientElt, this.pc);
 
+		BeanDefinition defaultAuthorizedClientRepository = parser.getDefaultAuthorizedClientRepository();
+		registerDefaultAuthorizedClientRepositoryIfNecessary(defaultAuthorizedClientRepository);
+
 		this.authorizationRequestRedirectFilter = parser.getAuthorizationRequestRedirectFilter();
 		String authorizationRequestRedirectFilterId = pc.getReaderContext()
 				.generateBeanName(this.authorizationRequestRedirectFilter);
@@ -344,6 +363,28 @@ void createOAuth2ClientFilter(BeanReference requestCache, BeanReference authenti
 		this.authorizationCodeAuthenticationProviderRef = new RuntimeBeanReference(authorizationCodeAuthenticationProviderId);
 	}
 
+	void registerDefaultAuthorizedClientRepositoryIfNecessary(BeanDefinition defaultAuthorizedClientRepository) {
+		if (!this.defaultAuthorizedClientRepositoryRegistered && defaultAuthorizedClientRepository != null) {
+			String authorizedClientRepositoryId = pc.getReaderContext()
+					.generateBeanName(defaultAuthorizedClientRepository);
+			this.pc.registerBeanComponent(new BeanComponentDefinition(
+					defaultAuthorizedClientRepository, authorizedClientRepositoryId));
+			this.defaultAuthorizedClientRepositoryRegistered = true;
+		}
+	}
+
+	private void registerOAuth2ClientPostProcessors() {
+		if (!this.oauth2LoginEnabled && !this.oauth2ClientEnabled) {
+			return;
+		}
+
+		boolean webmvcPresent = ClassUtils.isPresent("org.springframework.web.servlet.DispatcherServlet", getClass().getClassLoader());
+		if (webmvcPresent) {
+			this.pc.getReaderContext().registerWithGeneratedName(
+					new RootBeanDefinition(OAuth2ClientWebMvcSecurityPostProcessor.class));
+		}
+	}
+
 	void createOpenIDLoginFilter(BeanReference sessionStrategy, BeanReference authManager) {
 		Element openIDLoginElt = DomUtils.getChildElementByTagName(httpElt,
 				Elements.OPENID_LOGIN);