Add BearerTokenAuthenticationConverter

Max Batischev · Max Batischev · commit 0170226a4445 · 2024-03-22T13:29:08.000+03:00
Closes spring-projectsgh-14750
diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/AbstractBearerTokenAuthenticationConverter.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/AbstractBearerTokenAuthenticationConverter.java
@@ -0,0 +1,139 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.resource.web;
+
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.server.resource.BearerTokenError;
+import org.springframework.security.oauth2.server.resource.BearerTokenErrors;
+import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken;
+import org.springframework.util.CollectionUtils;
+import org.springframework.util.StringUtils;
+
+/**
+ * Base class for bearer token converter implementations.
+ *
+ * @author Max Batischev
+ * @author Rob Winch
+ * @since 6.3
+ */
+public abstract class AbstractBearerTokenAuthenticationConverter<R> {
+
+	private static final Pattern authorizationPattern = Pattern.compile("^Bearer (?<token>[a-zA-Z0-9-._~+/]+=*)$",
+			Pattern.CASE_INSENSITIVE);
+
+	private boolean allowUriQueryParameter = false;
+
+	protected String bearerTokenHeaderName = HttpHeaders.AUTHORIZATION;
+
+	protected String token(R request) {
+		String authorizationHeaderToken = resolveAuthorizationHeaderToken(request);
+		String parameterToken = resolveAccessTokenFromRequest(request);
+
+		if (authorizationHeaderToken != null) {
+			if (parameterToken != null) {
+				BearerTokenError error = BearerTokenErrors
+					.invalidRequest("Found multiple bearer tokens in the request");
+				throw new OAuth2AuthenticationException(error);
+			}
+			return authorizationHeaderToken;
+		}
+		if (parameterToken != null && isParameterTokenSupportedForRequest(request)) {
+			return parameterToken;
+		}
+		return null;
+	}
+
+	protected BearerTokenAuthenticationToken convertBearerToken(String token) {
+		if (token.isEmpty()) {
+			BearerTokenError error = invalidTokenError();
+			throw new OAuth2AuthenticationException(error);
+		}
+		return new BearerTokenAuthenticationToken(token);
+	}
+
+	protected abstract String resolveAuthorizationHeaderToken(R request);
+
+	private String resolveAccessTokenFromRequest(R request) {
+		List<String> parameterTokens = resolveParameterTokens(request);
+		if (CollectionUtils.isEmpty(parameterTokens)) {
+			return null;
+		}
+		if (parameterTokens.size() == 1) {
+			return parameterTokens.get(0);
+		}
+
+		BearerTokenError error = BearerTokenErrors.invalidRequest("Found multiple bearer tokens in the request");
+		throw new OAuth2AuthenticationException(error);
+
+	}
+
+	protected abstract List<String> resolveParameterTokens(R request);
+
+	/**
+	 * Set if transport of access token using URI query parameter is supported. Defaults
+	 * to {@code false}.
+	 * <p>
+	 * The spec recommends against using this mechanism for sending bearer tokens, and
+	 * even goes as far as stating that it was only included for completeness.
+	 * @param allowUriQueryParameter if the URI query parameter is supported
+	 */
+	public void setAllowUriQueryParameter(boolean allowUriQueryParameter) {
+		this.allowUriQueryParameter = allowUriQueryParameter;
+	}
+
+	/**
+	 * Set this value to configure what header is checked when resolving a Bearer Token.
+	 * This value is defaulted to {@link HttpHeaders#AUTHORIZATION}.
+	 * <p>
+	 * This allows other headers to be used as the Bearer Token source such as
+	 * {@link HttpHeaders#PROXY_AUTHORIZATION}
+	 * @param bearerTokenHeaderName the header to check when retrieving the Bearer Token.
+	 * @since 5.4
+	 */
+	public void setBearerTokenHeaderName(String bearerTokenHeaderName) {
+		this.bearerTokenHeaderName = bearerTokenHeaderName;
+	}
+
+	protected String resolveFromAuthorizationHeader(String authorization) {
+		if (!StringUtils.startsWithIgnoreCase(authorization, "bearer")) {
+			return null;
+		}
+		Matcher matcher = authorizationPattern.matcher(authorization);
+		if (!matcher.matches()) {
+			BearerTokenError error = invalidTokenError();
+			throw new OAuth2AuthenticationException(error);
+		}
+		return matcher.group("token");
+	}
+
+	protected BearerTokenError invalidTokenError() {
+		return BearerTokenErrors.invalidToken("Bearer token is malformed");
+	}
+
+	private boolean isParameterTokenSupportedForRequest(R request) {
+		return this.allowUriQueryParameter && HttpMethod.GET.equals(getHttpMethod(request));
+	}
+
+	protected abstract HttpMethod getHttpMethod(R request);
+
+}
diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/BearerTokenAuthenticationConverter.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/BearerTokenAuthenticationConverter.java
@@ -0,0 +1,85 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.resource.web;
+
+import java.util.Collections;
+import java.util.List;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationDetailsSource;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken;
+import org.springframework.security.web.authentication.AuthenticationConverter;
+import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
+
+/**
+ * Implementation of {@link AuthenticationConverter}, which converts bearer token to
+ * {@link BearerTokenAuthenticationToken}
+ *
+ * @author Max Batischev
+ * @since 6.3
+ */
+public final class BearerTokenAuthenticationConverter
+		extends AbstractBearerTokenAuthenticationConverter<HttpServletRequest> implements AuthenticationConverter {
+
+	private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
+
+	@Override
+	public Authentication convert(HttpServletRequest request) {
+		String token = token(request);
+		if (StringUtils.hasText(token)) {
+			BearerTokenAuthenticationToken bearerToken = convertBearerToken(token);
+			bearerToken.setDetails(this.authenticationDetailsSource.buildDetails(request));
+			return bearerToken;
+		}
+		return null;
+	}
+
+	@Override
+	protected String resolveAuthorizationHeaderToken(HttpServletRequest request) {
+		return resolveFromAuthorizationHeader(request.getHeader(this.bearerTokenHeaderName));
+	}
+
+	@Override
+	protected List<String> resolveParameterTokens(HttpServletRequest request) {
+		String[] queryParameters = request.getParameterValues("access_token");
+		if (queryParameters != null) {
+			return List.of(queryParameters);
+		}
+		return Collections.emptyList();
+	}
+
+	@Override
+	protected HttpMethod getHttpMethod(HttpServletRequest request) {
+		return HttpMethod.valueOf(request.getMethod());
+	}
+
+	public void setAuthenticationDetailsSource(
+			AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
+		Assert.notNull(authenticationDetailsSource, "authenticationDetailsSource cannot be null");
+		this.authenticationDetailsSource = authenticationDetailsSource;
+	}
+
+	public AuthenticationDetailsSource<HttpServletRequest, ?> getAuthenticationDetailsSource() {
+		return this.authenticationDetailsSource;
+	}
+
+}
diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,22 +17,14 @@
 package org.springframework.security.oauth2.server.resource.web.server.authentication;
 
 import java.util.List;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 import reactor.core.publisher.Mono;
 
-import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
-import org.springframework.security.oauth2.server.resource.BearerTokenError;
-import org.springframework.security.oauth2.server.resource.BearerTokenErrors;
-import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken;
+import org.springframework.security.oauth2.server.resource.web.AbstractBearerTokenAuthenticationConverter;
 import org.springframework.security.web.server.authentication.ServerAuthenticationConverter;
-import org.springframework.util.CollectionUtils;
-import org.springframework.util.StringUtils;
 import org.springframework.web.server.ServerWebExchange;
 
 /**
@@ -45,102 +37,31 @@
  * @see <a href="https://tools.ietf.org/html/rfc6750#section-2" target="_blank">RFC 6750
  * Section 2: Authenticated Requests</a>
  */
-public class ServerBearerTokenAuthenticationConverter implements ServerAuthenticationConverter {
-
-	private static final Pattern authorizationPattern = Pattern.compile("^Bearer (?<token>[a-zA-Z0-9-._~+/]+=*)$",
-			Pattern.CASE_INSENSITIVE);
-
-	private boolean allowUriQueryParameter = false;
-
-	private String bearerTokenHeaderName = HttpHeaders.AUTHORIZATION;
+public class ServerBearerTokenAuthenticationConverter
+		extends AbstractBearerTokenAuthenticationConverter<ServerHttpRequest> implements ServerAuthenticationConverter {
 
 	@Override
 	public Mono<Authentication> convert(ServerWebExchange exchange) {
-		return Mono.fromCallable(() -> token(exchange.getRequest())).map((token) -> {
-			if (token.isEmpty()) {
-				BearerTokenError error = invalidTokenError();
-				throw new OAuth2AuthenticationException(error);
-			}
-			return new BearerTokenAuthenticationToken(token);
-		});
+		// @formatter:off
+		return Mono.fromCallable(() -> token(exchange.getRequest()))
+				.map(this::convertBearerToken);
+		// @formatter:on
 	}
 
-	private String token(ServerHttpRequest request) {
-		String authorizationHeaderToken = resolveFromAuthorizationHeader(request.getHeaders());
-		String parameterToken = resolveAccessTokenFromRequest(request);
-
-		if (authorizationHeaderToken != null) {
-			if (parameterToken != null) {
-				BearerTokenError error = BearerTokenErrors
-					.invalidRequest("Found multiple bearer tokens in the request");
-				throw new OAuth2AuthenticationException(error);
-			}
-			return authorizationHeaderToken;
-		}
-		if (parameterToken != null && isParameterTokenSupportedForRequest(request)) {
-			return parameterToken;
-		}
-		return null;
-	}
-
-	private static String resolveAccessTokenFromRequest(ServerHttpRequest request) {
-		List<String> parameterTokens = request.getQueryParams().get("access_token");
-		if (CollectionUtils.isEmpty(parameterTokens)) {
-			return null;
-		}
-		if (parameterTokens.size() == 1) {
-			return parameterTokens.get(0);
-		}
-
-		BearerTokenError error = BearerTokenErrors.invalidRequest("Found multiple bearer tokens in the request");
-		throw new OAuth2AuthenticationException(error);
-
-	}
-
-	/**
-	 * Set if transport of access token using URI query parameter is supported. Defaults
-	 * to {@code false}.
-	 *
-	 * The spec recommends against using this mechanism for sending bearer tokens, and
-	 * even goes as far as stating that it was only included for completeness.
-	 * @param allowUriQueryParameter if the URI query parameter is supported
-	 */
-	public void setAllowUriQueryParameter(boolean allowUriQueryParameter) {
-		this.allowUriQueryParameter = allowUriQueryParameter;
-	}
-
-	/**
-	 * Set this value to configure what header is checked when resolving a Bearer Token.
-	 * This value is defaulted to {@link HttpHeaders#AUTHORIZATION}.
-	 *
-	 * This allows other headers to be used as the Bearer Token source such as
-	 * {@link HttpHeaders#PROXY_AUTHORIZATION}
-	 * @param bearerTokenHeaderName the header to check when retrieving the Bearer Token.
-	 * @since 5.4
-	 */
-	public void setBearerTokenHeaderName(String bearerTokenHeaderName) {
-		this.bearerTokenHeaderName = bearerTokenHeaderName;
-	}
-
-	private String resolveFromAuthorizationHeader(HttpHeaders headers) {
-		String authorization = headers.getFirst(this.bearerTokenHeaderName);
-		if (!StringUtils.startsWithIgnoreCase(authorization, "bearer")) {
-			return null;
-		}
-		Matcher matcher = authorizationPattern.matcher(authorization);
-		if (!matcher.matches()) {
-			BearerTokenError error = invalidTokenError();
-			throw new OAuth2AuthenticationException(error);
-		}
-		return matcher.group("token");
+	@Override
+	protected String resolveAuthorizationHeaderToken(ServerHttpRequest request) {
+		String authorization = request.getHeaders().getFirst(this.bearerTokenHeaderName);
+		return resolveFromAuthorizationHeader(authorization);
 	}
 
-	private static BearerTokenError invalidTokenError() {
-		return BearerTokenErrors.invalidToken("Bearer token is malformed");
+	@Override
+	protected List<String> resolveParameterTokens(ServerHttpRequest request) {
+		return request.getQueryParams().get("access_token");
 	}
 
-	private boolean isParameterTokenSupportedForRequest(ServerHttpRequest request) {
-		return this.allowUriQueryParameter && HttpMethod.GET.equals(request.getMethod());
+	@Override
+	protected HttpMethod getHttpMethod(ServerHttpRequest request) {
+		return request.getMethod();
 	}
 
 }
diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/BearerTokenAuthenticationConverterTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/BearerTokenAuthenticationConverterTests.java
