From cf068f632265a23547ccbc25a38864926f276f59 Mon Sep 17 00:00:00 2001 From: artsiom Date: Sat, 10 Nov 2018 12:40:55 +0300 Subject: [PATCH] adding configurable property for JWK encryption algorithm --- .../OAuth2ResourceServerProperties.java | 13 +++++++++++ .../OAuth2ResourceServerJwkConfiguration.java | 3 ++- ...2ResourceServerAutoConfigurationTests.java | 23 +++++++++++++++++-- .../appendix-application-properties.adoc | 1 + 4 files changed, 37 insertions(+), 3 deletions(-) diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/OAuth2ResourceServerProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/OAuth2ResourceServerProperties.java index 6df4452a4b65..f262e4c70376 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/OAuth2ResourceServerProperties.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/OAuth2ResourceServerProperties.java @@ -40,6 +40,11 @@ public static class Jwt { */ private String jwkSetUri; + /** + * JSON Web Algorithm used for verifying the digital signatures. + */ + private String jwsAlgorithm = "RS256"; + /** * URI that an OpenID Connect Provider asserts as its Issuer Identifier. */ @@ -53,6 +58,14 @@ public void setJwkSetUri(String jwkSetUri) { this.jwkSetUri = jwkSetUri; } + public String getJwsAlgorithm() { + return this.jwsAlgorithm; + } + + public void setJwsAlgorithm(String jwsAlgorithm) { + this.jwsAlgorithm = jwsAlgorithm; + } + public String getIssuerUri() { return this.issuerUri; } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwkConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwkConfiguration.java index d760162198fe..14c04a5e36df 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwkConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwkConfiguration.java @@ -46,7 +46,8 @@ class OAuth2ResourceServerJwkConfiguration { @ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.jwt.jwk-set-uri") @ConditionalOnMissingBean public JwtDecoder jwtDecoderByJwkKeySetUri() { - return new NimbusJwtDecoderJwkSupport(this.properties.getJwt().getJwkSetUri()); + return new NimbusJwtDecoderJwkSupport(this.properties.getJwt().getJwkSetUri(), + this.properties.getJwt().getJwsAlgorithm()); } @Bean diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerAutoConfigurationTests.java index 56cda029bb6b..27a173edf592 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerAutoConfigurationTests.java @@ -22,6 +22,7 @@ import javax.servlet.Filter; +import com.nimbusds.jose.JWSAlgorithm; import okhttp3.mockwebserver.MockResponse; import okhttp3.mockwebserver.MockWebServer; import org.junit.After; @@ -78,8 +79,26 @@ public void autoConfigurationShouldConfigureResourceServer() { this.contextRunner.withPropertyValues( "spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://jwk-set-uri.com") .run((context) -> { - assertThat(context.getBean(JwtDecoder.class)) - .isInstanceOf(NimbusJwtDecoderJwkSupport.class); + JwtDecoder jwtDecoder = context.getBean(JwtDecoder.class); + assertThat(jwtDecoder).isInstanceOf(NimbusJwtDecoderJwkSupport.class); + NimbusJwtDecoderJwkSupport decoder = (NimbusJwtDecoderJwkSupport) jwtDecoder; + assertThat(decoder).hasFieldOrPropertyWithValue("jwsAlgorithm", + JWSAlgorithm.RS256); + assertThat(getBearerTokenFilter(context)).isNotNull(); + }); + } + + @Test + public void autoConfigurationShouldConfigureResourceServerWithJwsAlgotihms() { + this.contextRunner.withPropertyValues( + "spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://jwk-set-uri.com", + "spring.security.oauth2.resourceserver.jwt.jws-algorithm=HS512") + .run((context) -> { + JwtDecoder jwtDecoder = context.getBean(JwtDecoder.class); + assertThat(jwtDecoder).isInstanceOf(NimbusJwtDecoderJwkSupport.class); + NimbusJwtDecoderJwkSupport decoder = (NimbusJwtDecoderJwkSupport) jwtDecoder; + assertThat(decoder).hasFieldOrPropertyWithValue("jwsAlgorithm", + JWSAlgorithm.HS512); assertThat(getBearerTokenFilter(context)).isNotNull(); }); } diff --git a/spring-boot-project/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc b/spring-boot-project/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc index 03069eecd9e4..2c5bdb4cb1e1 100644 --- a/spring-boot-project/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc +++ b/spring-boot-project/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc @@ -546,6 +546,7 @@ content into your application. Rather, pick only the properties that you need. # SECURITY OAUTH2 RESOURCE SERVER ({sc-spring-boot-autoconfigure}/security/oauth2/resource/OAuth2ResourceServerProperties.{sc-ext}[OAuth2ResourceServerProperties]) spring.security.oauth2.resourceserver.jwt.jwk-set-uri= # JSON Web Key URI to use to verify the JWT token. + spring.security.oauth2.resourceserver.jwt.jws-algorithm= # JSON Web Algorithm used for verifying the digital signatures. spring.security.oauth2.resourceserver.jwt.issuer-uri= # URI that an OpenID Connect Provider asserts as its Issuer Identifier. # ----------------------------------------