use same request macther in configurer and filter

Author: frederikz

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java

@@ -21,12 +21,9 @@
 import java.util.List;
 import java.util.Map;
 
-import com.nimbusds.jose.jwk.source.JWKSource;
-
 import org.springframework.context.ApplicationListener;
 import org.springframework.context.event.GenericApplicationListenerAdapter;
 import org.springframework.context.event.SmartApplicationListener;
-import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -53,11 +50,12 @@
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.security.web.context.SecurityContextHolderFilter;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
+import com.nimbusds.jose.jwk.source.JWKSource;
+
 /**
  * An {@link AbstractHttpConfigurer} for OAuth 2.0 Authorization Server support.
  *
@@ -88,6 +86,7 @@ public final class OAuth2AuthorizationServerConfigurer
 	private final Map<Class<? extends AbstractOAuth2Configurer>, AbstractOAuth2Configurer> configurers = createConfigurers();
 	private RequestMatcher endpointsMatcher;
 	private AuthorizationServerContextResolver authorizationServerContextResolver;
+	private RequestMatcher jwkSetRequestMatcher;
 
 
 	/**
@@ -328,8 +327,8 @@ public void init(HttpSecurity httpSecurity) {
 			configurer.init(httpSecurity);
 			requestMatchers.add(configurer.getRequestMatcher());
 		});
-		requestMatchers.add(new AntPathRequestMatcher(
-				authorizationServerSettings.getJwkSetEndpoint(), HttpMethod.GET.name()));
+		this.jwkSetRequestMatcher = NimbusJwkSetEndpointFilter.createDefaultRequestMatcher(authorizationServerSettings.getJwkSetEndpoint());
+		requestMatchers.add(this.jwkSetRequestMatcher);
 		this.endpointsMatcher = new OrRequestMatcher(requestMatchers);
 
 		ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling = httpSecurity.getConfigurer(ExceptionHandlingConfigurer.class);
@@ -360,8 +359,8 @@ public void configure(HttpSecurity httpSecurity) {
 
 		JWKSource<com.nimbusds.jose.proc.SecurityContext> jwkSource = OAuth2ConfigurerUtils.getJwkSource(httpSecurity);
 		if (jwkSource != null) {
-			NimbusJwkSetEndpointFilter jwkSetEndpointFilter = new NimbusJwkSetEndpointFilter(
-					jwkSource, authorizationServerSettings.getJwkSetEndpoint());
+			NimbusJwkSetEndpointFilter jwkSetEndpointFilter = new NimbusJwkSetEndpointFilter(jwkSource,
+					this.jwkSetRequestMatcher);
 			httpSecurity.addFilterBefore(postProcess(jwkSetEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
 		}
 	}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/NimbusJwkSetEndpointFilter.java

@@ -18,23 +18,23 @@
 import java.io.IOException;
 import java.io.Writer;
 
-import jakarta.servlet.FilterChain;
-import jakarta.servlet.ServletException;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.MediaType;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.Assert;
+import org.springframework.web.filter.OncePerRequestFilter;
 
 import com.nimbusds.jose.jwk.JWKMatcher;
 import com.nimbusds.jose.jwk.JWKSelector;
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.proc.SecurityContext;
 
-import org.springframework.http.HttpMethod;
-import org.springframework.http.MediaType;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
-import org.springframework.security.web.util.matcher.RequestMatcher;
-import org.springframework.util.Assert;
-import org.springframework.web.filter.OncePerRequestFilter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 /**
  * A {@code Filter} that processes JWK Set requests.
@@ -70,11 +70,27 @@ public NimbusJwkSetEndpointFilter(JWKSource<SecurityContext> jwkSource) {
 	 * @param jwkSetEndpointUri the endpoint {@code URI} for JWK Set requests
 	 */
 	public NimbusJwkSetEndpointFilter(JWKSource<SecurityContext> jwkSource, String jwkSetEndpointUri) {
+		this(jwkSource, createDefaultRequestMatcher(jwkSetEndpointUri));
+	}
+
+	/**
+	 * Constructs a {@code NimbusJwkSetEndpointFilter} using the provided parameters.
+	 *
+	 * @param jwkSource the {@code com.nimbusds.jose.jwk.source.JWKSource}
+	 * @param requestMatcher the endpoint matcher for JWK Set requests
+	 */
+	public NimbusJwkSetEndpointFilter(JWKSource<SecurityContext> jwkSource, RequestMatcher requestMatcher) {
 		Assert.notNull(jwkSource, "jwkSource cannot be null");
-		Assert.hasText(jwkSetEndpointUri, "jwkSetEndpointUri cannot be empty");
+		Assert.notNull(requestMatcher, "requestMatcher cannot be null");
 		this.jwkSource = jwkSource;
 		this.jwkSelector = new JWKSelector(new JWKMatcher.Builder().build());
-		this.requestMatcher = new AntPathRequestMatcher(jwkSetEndpointUri, HttpMethod.GET.name());
+		this.requestMatcher = requestMatcher;
+	}
+
+	public static RequestMatcher createDefaultRequestMatcher(String jwkSetEndpointUri) {
+		Assert.hasText(jwkSetEndpointUri, "jwkSetEndpointUri cannot be empty");
+
+		return new AntPathRequestMatcher(jwkSetEndpointUri, HttpMethod.GET.name());
 	}
 
 	@Override

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/NimbusJwkSetEndpointFilterTests.java

@@ -37,6 +37,7 @@
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.oauth2.jose.TestJwks;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
@@ -72,11 +73,18 @@ public void constructorWhenJwkSourceNullThenThrowIllegalArgumentException() {
 
 	@Test
 	public void constructorWhenJwkSetEndpointUriNullThenThrowIllegalArgumentException() {
-		assertThatThrownBy(() -> new NimbusJwkSetEndpointFilter(this.jwkSource, null))
+		assertThatThrownBy(() -> new NimbusJwkSetEndpointFilter(this.jwkSource, (String) null))
 				.isInstanceOf(IllegalArgumentException.class)
 				.hasMessage("jwkSetEndpointUri cannot be empty");
 	}
 
+	@Test
+	public void constructorWhenJwkSetEndpointMatcherNullThenThrowIllegalArgumentException() {
+		assertThatThrownBy(() -> new NimbusJwkSetEndpointFilter(this.jwkSource, (RequestMatcher) null))
+				.isInstanceOf(IllegalArgumentException.class)
+				.hasMessage("requestMatcher cannot be null");
+	}
+
 	@Test
 	public void doFilterWhenNotJwkSetRequestThenNotProcessed() throws Exception {
 		String requestUri = "/path";