Add Request-based AuthenticationManagerResolvers

Closes gh-6762

Author: jzheaux

docs/modules/ROOT/pages/reactive/oauth2/resource-server/multitenancy.adoc

@@ -1,5 +1,76 @@
 = OAuth 2.0 Resource Server Multitenancy
 
+[[webflux-oauth2reourceserver-opaqueandjwt]]
+== Supporting both JWT and Opaque Token
+
+In some cases, you may have a need to access both kinds of tokens.
+For example, you may support more than one tenant where one tenant issues JWTs and the other issues opaque tokens.
+
+If this decision must be made at request-time, then you can use an `AuthenticationManagerResolver` to achieve it, like so:
+
+====
+.Java
+[source,java,role="primary"]
+----
+@Bean
+ReactiveAuthenticationManagerResolver<ServerWebExchange> tokenAuthenticationManagerResolver
+        (ReactiveJwtDecoder jwtDecoder, ReactiveOpaqueTokenIntrospector opaqueTokenIntrospector) {
+    ReactiveAuthenticationManager jwt = new JwtReactiveAuthenticationManager(jwtDecoder);
+    ReactiveAuthenticationManager opaque = new OpaqueTokenReactiveAuthenticationManager(opaqueTokenIntrospector);
+    return ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver.builder()
+            .add(new ServerWebExchangeMatcherEntry<>(ServerWebExchangeMatchers.pathPatterns("/opaque/**"), opaque))
+            .add(new ServerWebExchangeMatcherEntry<>(ServerWebExchangeMatchers.anyExchange(), jwt))
+            .build();
+}
+----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun tokenAuthenticationManagerResolver
+        (jwtDecoder: JwtDecoder, opaqueTokenIntrospector: OpaqueTokenIntrospector):
+        AuthenticationManagerResolver<HttpServletRequest> {
+    val jwt = JwtReactiveAuthenticationManager(jwtDecoder)
+    val opaque = OpaqueTokenReactiveAuthenticationManager(opaqueTokenIntrospector)
+    return ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver.builder()
+            .add(ServerWebExchangeMatcherEntry(ServerWebExchangeMatchers.pathPatterns("/opaque/**"), opaque))
+            .add(ServerWebExchangeMatcherEntry(ServerWebExchangeMatchers.anyExchange(), jwt))
+            .build()
+}
+----
+====
+
+And then specify this `ReactiveAuthenticationManagerResolver` in the DSL:
+
+.Authentication Manager Resolver
+====
+.Java
+[source,java,role="primary"]
+----
+http
+    .authorizeExchange((authorize) -> authorize
+        .anyExchange().authenticated()
+    )
+    .oauth2ResourceServer((oauth2) -> oauth2
+        .authenticationManagerResolver(this.tokenAuthenticationManagerResolver)
+    );
+----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+http {
+    authorizeExchange {
+        authorize(anyExchange, authenticated)
+    }
+    oauth2ResourceServer {
+        authenticationManagerResolver = tokenAuthenticationManagerResolver()
+    }
+}
+----
+====
+
 [[webflux-oauth2resourceserver-multitenancy]]
 == Multi-tenancy
 

docs/modules/ROOT/pages/servlet/oauth2/resource-server/multitenancy.adoc

@@ -15,10 +15,12 @@ If this decision must be made at request-time, then you can use an `Authenticati
 @Bean
 AuthenticationManagerResolver<HttpServletRequest> tokenAuthenticationManagerResolver
         (JwtDecoder jwtDecoder, OpaqueTokenIntrospector opaqueTokenIntrospector) {
-    AuthenticationManager jwt = new ProviderManager(new JwtAuthenticationProvider(jwtDecoder));
-    AuthenticationManager opaqueToken = new ProviderManager(
-            new OpaqueTokenAuthenticationProvider(opaqueTokenIntrospector));
-    return (request) -> useJwt(request) ? jwt : opaqueToken;
+    AuthenticationManager jwt = new JwtAuthenticationProvider(jwtDecoder)::authenticate;
+    AuthenticationManager opaque = new OpaqueTokenAuthenticationProvider(opaqueTokenIntrospector)::authenticate;
+    return RequestMatcherDelegatingAuthenticationManagerResolver.builder()
+            .add(new RequestMatcherEntry<>(new AntPathRequestMatcher("/opaque/**"), opaque))
+            .add(new RequestMatcherEntry<>(AnyRequestMatcher.INSTANCE, jwt))
+            .build();
 }
 ----
 
@@ -31,20 +33,14 @@ fun tokenAuthenticationManagerResolver
         AuthenticationManagerResolver<HttpServletRequest> {
     val jwt = ProviderManager(JwtAuthenticationProvider(jwtDecoder))
     val opaqueToken = ProviderManager(OpaqueTokenAuthenticationProvider(opaqueTokenIntrospector));
-
-    return AuthenticationManagerResolver { request ->
-        if (useJwt(request)) {
-            jwt
-        } else {
-            opaqueToken
-        }
-    }
+    return RequestMatcherDelegatingAuthenticationManagerResolver.builder()
+            .add(RequestMatcherEntry(AntPathRequestMatcher("/opaque/**"), opaque))
+            .add(RequestMatcherEntry(AnyRequestMatcher.INSTANCE, jwt))
+            .build()
 }
 ----
 ====
 
-NOTE: The implementation of `useJwt(HttpServletRequest)` will likely depend on custom request material like the path.
-
 And then specify this `AuthenticationManagerResolver` in the DSL:
 
 .Authentication Manager Resolver

web/src/main/java/org/springframework/security/web/authentication/RequestMatcherDelegatingAuthenticationManagerResolver.java

@@ -0,0 +1,125 @@
+/*
+ * Copyright 2002-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.authentication;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationManagerResolver;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcherEntry;
+import org.springframework.util.Assert;
+
+/**
+ * An {@link AuthenticationManagerResolver} that returns a {@link AuthenticationManager}
+ * instances based upon the type of {@link HttpServletRequest} passed into
+ * {@link #resolve(HttpServletRequest)}.
+ *
+ * @author Josh Cummings
+ * @since 5.7
+ */
+public final class RequestMatcherDelegatingAuthenticationManagerResolver
+		implements AuthenticationManagerResolver<HttpServletRequest> {
+
+	private final List<RequestMatcherEntry<AuthenticationManager>> authenticationManagers;
+
+	private AuthenticationManager defaultAuthenticationManager = (authentication) -> {
+		throw new AuthenticationServiceException("Cannot authenticate " + authentication);
+	};
+
+	/**
+	 * Construct an {@link RequestMatcherDelegatingAuthenticationManagerResolver} based on
+	 * the provided parameters
+	 * @param authenticationManagers a {@link List} of
+	 * {@link RequestMatcher}/{@link AuthenticationManager} pairs
+	 */
+	private RequestMatcherDelegatingAuthenticationManagerResolver(
+			List<RequestMatcherEntry<AuthenticationManager>> authenticationManagers) {
+		Assert.notEmpty(authenticationManagers, "authenticationManagers cannot be empty");
+		this.authenticationManagers = authenticationManagers;
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public AuthenticationManager resolve(HttpServletRequest context) {
+		for (RequestMatcherEntry<AuthenticationManager> entry : this.authenticationManagers) {
+			if (entry.getRequestMatcher().matches(context)) {
+				return entry.getEntry();
+			}
+		}
+
+		return this.defaultAuthenticationManager;
+	}
+
+	/**
+	 * Set the default {@link AuthenticationManager} to use when a request does not match
+	 * @param defaultAuthenticationManager the default {@link AuthenticationManager} to
+	 * use
+	 */
+	public void setDefaultAuthenticationManager(AuthenticationManager defaultAuthenticationManager) {
+		Assert.notNull(defaultAuthenticationManager, "defaultAuthenticationManager cannot be null");
+		this.defaultAuthenticationManager = defaultAuthenticationManager;
+	}
+
+	/**
+	 * Creates a builder for {@link RequestMatcherDelegatingAuthorizationManager}.
+	 * @return the new {@link RequestMatcherDelegatingAuthorizationManager.Builder}
+	 * instance
+	 */
+	public static Builder builder() {
+		return new Builder();
+	}
+
+	/**
+	 * A builder for {@link RequestMatcherDelegatingAuthenticationManagerResolver}.
+	 */
+	public static final class Builder {
+
+		private final List<RequestMatcherEntry<AuthenticationManager>> mappings = new ArrayList<>();
+
+		/**
+		 * Maps a {@link RequestMatcher} to a {@link AuthenticationManager}.
+		 * @param mapping a {@link RequestMatcher} to {@link AuthenticationManager}
+		 * mapping
+		 * @return the {@link Builder} for further customizations
+		 */
+		public Builder add(RequestMatcherEntry<AuthenticationManager> mapping) {
+			Assert.notNull(mapping, "mapping cannot be null");
+			this.mappings.add(mapping);
+			return this;
+		}
+
+		/**
+		 * Creates a {@link RequestMatcherDelegatingAuthenticationManagerResolver}
+		 * instance.
+		 * @return the {@link RequestMatcherDelegatingAuthenticationManagerResolver}
+		 * instance
+		 */
+		public RequestMatcherDelegatingAuthenticationManagerResolver build() {
+			return new RequestMatcherDelegatingAuthenticationManagerResolver(this.mappings);
+		}
+
+	}
+
+}

web/src/main/java/org/springframework/security/web/server/authentication/ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver.java

@@ -0,0 +1,116 @@
+/*
+ * Copyright 2002-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authentication;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import reactor.core.publisher.Flux;
+import reactor.core.publisher.Mono;
+
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.authentication.ReactiveAuthenticationManager;
+import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcherEntry;
+import org.springframework.util.Assert;
+import org.springframework.web.server.ServerWebExchange;
+
+/**
+ * A {@link ReactiveAuthenticationManagerResolver} that returns a
+ * {@link ReactiveAuthenticationManager} instances based upon the type of
+ * {@link ServerWebExchange} passed into {@link #resolve(ServerWebExchange)}.
+ *
+ * @author Josh Cummings
+ * @since 5.7
+ *
+ */
+public final class ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver
+		implements ReactiveAuthenticationManagerResolver<ServerWebExchange> {
+
+	private final List<ServerWebExchangeMatcherEntry<ReactiveAuthenticationManager>> authenticationManagers;
+
+	private ReactiveAuthenticationManager defaultAuthenticationManager = (authentication) -> Mono
+			.error(new AuthenticationServiceException("Cannot authenticate " + authentication));
+
+	/**
+	 * Construct an
+	 * {@link ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver} based on
+	 * the provided parameters
+	 * @param managers a {@link List} of {@link ServerWebExchangeMatcherEntry}s
+	 */
+	private ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver(
+			List<ServerWebExchangeMatcherEntry<ReactiveAuthenticationManager>> managers) {
+		Assert.notNull(managers, "entries cannot be null");
+		this.authenticationManagers = managers;
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public Mono<ReactiveAuthenticationManager> resolve(ServerWebExchange exchange) {
+		return Flux.fromIterable(this.authenticationManagers).filterWhen((entry) -> isMatch(exchange, entry)).next()
+				.map(ServerWebExchangeMatcherEntry::getEntry).defaultIfEmpty(this.defaultAuthenticationManager);
+	}
+
+	/**
+	 * Set the default {@link ReactiveAuthenticationManager} to use when a request does
+	 * not match
+	 * @param defaultAuthenticationManager the default
+	 * {@link ReactiveAuthenticationManager} to use
+	 */
+	public void setDefaultAuthenticationManager(ReactiveAuthenticationManager defaultAuthenticationManager) {
+		Assert.notNull(defaultAuthenticationManager, "defaultAuthenticationManager cannot be null");
+		this.defaultAuthenticationManager = defaultAuthenticationManager;
+	}
+
+	private Mono<Boolean> isMatch(ServerWebExchange exchange, ServerWebExchangeMatcherEntry entry) {
+		ServerWebExchangeMatcher matcher = entry.getMatcher();
+		return matcher.matches(exchange).map(ServerWebExchangeMatcher.MatchResult::isMatch);
+	}
+
+	/**
+	 * Creates a builder for
+	 * {@link ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver}.
+	 * @return the new
+	 * {@link ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver.Builder}
+	 * instance
+	 */
+	public static Builder builder() {
+		return new Builder();
+	}
+
+	public static final class Builder {
+
+		private final List<ServerWebExchangeMatcherEntry<ReactiveAuthenticationManager>> mappings = new ArrayList<>();
+
+		private Builder() {
+		}
+
+		public Builder add(ServerWebExchangeMatcherEntry<ReactiveAuthenticationManager> entry) {
+			this.mappings.add(entry);
+			return this;
+		}
+
+		public ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver build() {
+			return new ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver(this.mappings);
+		}
+
+	}
+
+}