Merge branch '6.4.x'

Closes gh-16902

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -1560,12 +1560,15 @@ public class OAuth2ResourceServerConfigurerTests {
 		@Bean
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
+			DefaultBearerTokenResolver defaultBearerTokenResolver = new DefaultBearerTokenResolver();
+			defaultBearerTokenResolver.setAllowUriQueryParameter(true);
 			http
 				.authorizeRequests()
 					.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
 					.anyRequest().authenticated()
 					.and()
 				.oauth2ResourceServer()
+					.bearerTokenResolver(defaultBearerTokenResolver)
 					.jwt()
 						.jwkSetUri(this.jwkSetUri);
 			return http.build();

config/src/test/resources/org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParserTests-JwkSetUri.xml

@@ -25,10 +25,15 @@
 
 	<c:property-placeholder local-override="true"/>
 
+	<b:bean id="bearerTokenResolver"
+			class="org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver">
+		<b:property name="allowUriQueryParameter" value="true"/>
+	</b:bean>
+
 	<http>
 		<intercept-url pattern="/**" access="authenticated"/>
 		<intercept-url pattern="/requires-read-scope" access="hasAuthority('SCOPE_message:read')"/>
-		<oauth2-resource-server>
+		<oauth2-resource-server bearer-token-resolver-ref="bearerTokenResolver">
 			<jwt jwk-set-uri="${jwk-set-uri:https://idp.example.org}"/>
 		</oauth2-resource-server>
 	</http>