spring-projects · jzheaux · Sep 11, 2019 · Sep 10, 2019
diff --git a/config/spring-security-config.gradle b/config/spring-security-config.gradle
@@ -35,6 +35,7 @@ dependencies {
 	testCompile project(':spring-security-test')
 	testCompile project(path : ':spring-security-core', configuration : 'tests')
 	testCompile project(path : ':spring-security-oauth2-client', configuration : 'tests')
+	testCompile project(path : ':spring-security-oauth2-resource-server', configuration : 'tests')
 	testCompile project(path : ':spring-security-web', configuration : 'tests')
 	testCompile apachedsDependencies
 	testCompile powerMock2Dependencies

diff --git a/...rg/springframework/security/config/annotation/web/configuration/OAuth2ImportSelector.java b/...rg/springframework/security/config/annotation/web/configuration/OAuth2ImportSelector.java
@@ -15,27 +15,40 @@
  */
 package org.springframework.security.config.annotation.web.configuration;
 
+import java.util.ArrayList;
+import java.util.List;
+
 import org.springframework.context.annotation.ImportSelector;
 import org.springframework.core.type.AnnotationMetadata;
 import org.springframework.util.ClassUtils;
 
 /**
  * Used by {@link EnableWebSecurity} to conditionally import {@link OAuth2ClientConfiguration}
- * when the {@code spring-security-oauth2-client} module is present on the classpath.
-
+ * when the {@code spring-security-oauth2-client} module is present on the classpath and
+ * {@link OAuth2ResourceServerConfiguration} when the {@code spring-security-oauth2-resource-server}
+ * module is on the classpath.
+ *
  * @author Joe Grandja
+ * @author Josh Cummings
  * @since 5.1
  * @see OAuth2ClientConfiguration
  */
 final class OAuth2ImportSelector implements ImportSelector {
 
 	@Override
 	public String[] selectImports(AnnotationMetadata importingClassMetadata) {
-		boolean oauth2ClientPresent = ClassUtils.isPresent(
-			"org.springframework.security.oauth2.client.registration.ClientRegistration", getClass().getClassLoader());
+		List<String> imports = new ArrayList<>();
+
+		if (ClassUtils.isPresent(
+			"org.springframework.security.oauth2.client.registration.ClientRegistration", getClass().getClassLoader())) {
+			imports.add("org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration");
+		}
+
+		if (ClassUtils.isPresent(
+			"org.springframework.security.oauth2.server.resource.BearerTokenError", getClass().getClassLoader())) {
+			imports.add("org.springframework.security.config.annotation.web.configuration.OAuth2ResourceServerConfiguration");
+		}
 
-		return oauth2ClientPresent ?
-			new String[] { "org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration" } :
-			new String[] {};
+		return imports.toArray(new String[0]);
 	}
 }
diff --git a/...ework/security/config/annotation/web/configuration/OAuth2ResourceServerConfiguration.java b/...ework/security/config/annotation/web/configuration/OAuth2ResourceServerConfiguration.java
@@ -0,0 +1,144 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.configuration;
+
+import org.reactivestreams.Subscription;
+import reactor.core.CoreSubscriber;
+import reactor.core.publisher.Hooks;
+import reactor.core.publisher.Operators;
+import reactor.util.context.Context;
+
+import org.springframework.beans.factory.DisposableBean;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.context.annotation.ImportSelector;
+import org.springframework.core.type.AnnotationMetadata;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.util.ClassUtils;
+
+/**
+ * {@link Configuration} for OAuth 2.0 Resource Server support.
+ *
+ * <p>
+ * This {@code Configuration} is conditionally imported by {@link OAuth2ImportSelector}
+ * when the {@code spring-security-oauth2-resource-server} module is present on the classpath.
+ *
+ * @author Josh Cummings
+ * @since 5.2
+ * @see OAuth2ImportSelector
+ */
+@Import(OAuth2ResourceServerConfiguration.OAuth2ClientWebFluxImportSelector.class)
+final class OAuth2ResourceServerConfiguration {
+
+	static class OAuth2ClientWebFluxImportSelector implements ImportSelector {
+
+		@Override
+		public String[] selectImports(AnnotationMetadata importingClassMetadata) {
+			boolean webfluxPresent = ClassUtils.isPresent(
+					"org.springframework.web.reactive.function.client.WebClient", getClass().getClassLoader());
+
+			return webfluxPresent ?
+					new String[] { "org.springframework.security.config.annotation.web.configuration.OAuth2ResourceServerConfiguration.OAuth2ResourceServerWebFluxSecurityConfiguration" } :
+					new String[] {};
+		}
+	}
+
+	@Configuration(proxyBeanMethods = false)
+	static class OAuth2ResourceServerWebFluxSecurityConfiguration {
+		@Bean
+		BearerRequestContextSubscriberRegistrar bearerRequestContextSubscriberRegistrar() {
+			return new BearerRequestContextSubscriberRegistrar();
+		}
+
+		/**
+		 * Registers a {@link CoreSubscriber} that provides the current {@link Authentication}
+		 * to the correct {@link Context}.
+		 *
+		 * This is published as a {@code @Bean} automatically, so long as `spring-security-oauth2-resource-server`
+		 * and `spring-webflux` are on the classpath.
+		 */
+		static class BearerRequestContextSubscriberRegistrar
+				implements InitializingBean, DisposableBean {
+
+			private static final String REQUEST_CONTEXT_OPERATOR_KEY = BearerRequestContextSubscriber.class.getName();
+
+			@Override
+			public void afterPropertiesSet() throws Exception {
+				Hooks.onLastOperator(REQUEST_CONTEXT_OPERATOR_KEY,
+						Operators.liftPublisher((s, sub) -> createRequestContextSubscriber(sub)));
+			}
+
+			@Override
+			public void destroy() throws Exception {
+				Hooks.resetOnLastOperator(REQUEST_CONTEXT_OPERATOR_KEY);
+			}
+
+			private <T> CoreSubscriber<T> createRequestContextSubscriber(CoreSubscriber<T> delegate) {
+				Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+				return new BearerRequestContextSubscriber<>(delegate, authentication);
+			}
+
+			static class BearerRequestContextSubscriber<T> implements CoreSubscriber<T> {
+				private CoreSubscriber<T> delegate;
+				private final Context context;
+
+				private BearerRequestContextSubscriber(CoreSubscriber<T> delegate,
+						Authentication authentication) {
+
+					this.delegate = delegate;
+					Context parentContext = this.delegate.currentContext();
+					Context context;
+					if (authentication == null || parentContext.hasKey(Authentication.class)) {
+						context = parentContext;
+					} else {
+						context = parentContext.put(Authentication.class, authentication);
+					}
+
+					this.context = context;
+				}
+
+				@Override
+				public Context currentContext() {
+					return this.context;
+				}
+
+				@Override
+				public void onSubscribe(Subscription s) {
+					this.delegate.onSubscribe(s);
+				}
+
+				@Override
+				public void onNext(T t) {
+					this.delegate.onNext(t);
+				}
+
+				@Override
+				public void onError(Throwable t) {
+					this.delegate.onError(t);
+				}
+
+				@Override
+				public void onComplete() {
+					this.delegate.onComplete();
+				}
+			}
+		}
+	}
+}
diff --git a/.../security/config/annotation/web/configuration/OAuth2ResourceServerConfigurationTests.java b/.../security/config/annotation/web/configuration/OAuth2ResourceServerConfigurationTests.java
@@ -0,0 +1,165 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.web.configuration;
+
+import javax.annotation.PreDestroy;
+
+import okhttp3.mockwebserver.Dispatcher;
+import okhttp3.mockwebserver.MockResponse;
+import okhttp3.mockwebserver.MockWebServer;
+import okhttp3.mockwebserver.RecordedRequest;
+import org.apache.commons.lang.StringUtils;
+import org.junit.Rule;
+import org.junit.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.test.SpringTestRule;
+import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
+import org.springframework.security.oauth2.server.resource.web.reactive.function.client.ServletBearerExchangeFilterFunction;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.reactive.function.client.WebClient;
+
+import static org.springframework.security.oauth2.server.resource.authentication.TestBearerTokenAuthentications.bearer;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ * Tests for {@link OAuth2ResourceServerConfiguration}.
+ *
+ * @author Josh Cummings
+ */
+public class OAuth2ResourceServerConfigurationTests {
+	@Rule
+	public final SpringTestRule spring = new SpringTestRule();
+
+	@Autowired
+	private MockMvc mockMvc;
+
+	// gh-7418
+	@Test
+	public void requestWhenUsingFilterThenBearerTokenPropagated() throws Exception {
+		BearerTokenAuthentication authentication = bearer();
+		this.spring.register(BearerFilterConfig.class, WebServerConfig.class, Controller.class).autowire();
+
+		this.mockMvc.perform(get("/token")
+				.with(authentication(authentication)))
+				.andExpect(status().isOk())
+				.andExpect(content().string("Bearer token"));
+	}
+
+	// gh-7418
+	@Test
+	public void requestWhenNotUsingFilterThenBearerTokenNotPropagated() throws Exception {
+		BearerTokenAuthentication authentication = bearer();
+		this.spring.register(BearerFilterlessConfig.class, WebServerConfig.class, Controller.class).autowire();
+
+		this.mockMvc.perform(get("/token")
+				.with(authentication(authentication)))
+				.andExpect(status().isOk())
+				.andExpect(content().string(""));
+	}
+
+
+	@EnableWebSecurity
+	static class BearerFilterConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+		}
+
+		@Bean
+		WebClient rest() {
+			ServletBearerExchangeFilterFunction bearer =
+					new ServletBearerExchangeFilterFunction();
+			return WebClient.builder()
+					.filter(bearer).build();
+		}
+	}
+
+	@EnableWebSecurity
+	static class BearerFilterlessConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+		}
+
+		@Bean
+		WebClient rest() {
+			return WebClient.create();
+		}
+	}
+
+	@RestController
+	static class Controller {
+		private final WebClient rest;
+		private final String uri;
+
+		@Autowired
+			Controller(MockWebServer server, WebClient rest) {
+			this.uri = server.url("/").toString();
+			this.rest = rest;
+		}
+
+		@GetMapping("/token")
+		public String token() {
+			return this.rest.get()
+					.uri(this.uri)
+					.retrieve()
+					.bodyToMono(String.class)
+					.flatMap(result -> this.rest.get()
+							.uri(this.uri)
+							.retrieve()
+							.bodyToMono(String.class))
+					.block();
+		}
+	}
+
+	@Configuration
+	static class WebServerConfig {
+		private final MockWebServer server = new MockWebServer();
+
+		@Bean
+		MockWebServer server() throws Exception {
+			this.server.setDispatcher(new AuthorizationHeaderDispatcher());
+			this.server.start();
+			return this.server;
+		}
+
+		@PreDestroy
+		void shutdown() throws Exception {
+			this.server.shutdown();
+		}
+	}
+
+	static class AuthorizationHeaderDispatcher extends Dispatcher {
+
+		@Override
+		public MockResponse dispatch(RecordedRequest request) {
+			MockResponse response = new MockResponse().setResponseCode(200);
+			String header = request.getHeader("Authorization");
+			if (StringUtils.isBlank(header)) {
+				return response;
+
+			}
+			return response.setBody(header);
+		}
+	}
+}