Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Polish gh-17080

Browse Source
This commit is contained in:
Joe Grandja
2025-05-13 08:15:00 -04:00
parent 2090f44f74
commit a265ac6ae7
3 changed files with 14 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/DPoPAuthenticationConfigurerTests.java
+12 -20
View File
@@ -18,7 +18,6 @@ package org.springframework.security.config.annotation.web.configurers.oauth2.se
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.PublicKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateKey;
@@ -33,6 +32,7 @@ import java.util.Set;
import java.util.UUID;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.JWKSource;
@@ -89,6 +89,8 @@ public class DPoPAuthenticationConfigurerTests {
private static final ECPrivateKey CLIENT_EC_PRIVATE_KEY = (ECPrivateKey) TestKeys.DEFAULT_EC_KEY_PAIR.getPrivate();
private static final ECKey CLIENT_EC_KEY = TestJwks.jwk(CLIENT_EC_PUBLIC_KEY, CLIENT_EC_PRIVATE_KEY).build();
private static NimbusJwtEncoder providerJwtEncoder;
private static NimbusJwtEncoder clientJwtEncoder;
@@ -104,9 +106,8 @@ public class DPoPAuthenticationConfigurerTests {
JWKSource<SecurityContext> providerJwkSource = (jwkSelector, securityContext) -> jwkSelector
.select(new JWKSet(providerRsaKey));
providerJwtEncoder = new NimbusJwtEncoder(providerJwkSource);
ECKey clientEcKey = TestJwks.jwk(CLIENT_EC_PUBLIC_KEY, CLIENT_EC_PRIVATE_KEY).build();
JWKSource<SecurityContext> clientJwkSource = (jwkSelector, securityContext) -> jwkSelector
.select(new JWKSet(clientEcKey));
.select(new JWKSet(CLIENT_EC_KEY));
clientJwtEncoder = new NimbusJwtEncoder(clientJwkSource);
}
@@ -114,7 +115,7 @@ public class DPoPAuthenticationConfigurerTests {
public void requestWhenDPoPAndBearerAuthenticationThenUnauthorized() throws Exception {
this.spring.register(SecurityConfig.class, ResourceEndpoints.class).autowire();
Set<String> scope = Collections.singleton("resource1.read");
String accessToken = generateAccessToken(scope, CLIENT_EC_PUBLIC_KEY);
String accessToken = generateAccessToken(scope, CLIENT_EC_KEY);
String dPoPProof = generateDPoPProof(HttpMethod.GET.name(), "http://localhost/resource1", accessToken);
// @formatter:off
this.mvc.perform(get("/resource1")
@@ -131,7 +132,7 @@ public class DPoPAuthenticationConfigurerTests {
public void requestWhenDPoPAccessTokenMalformedThenUnauthorized() throws Exception {
this.spring.register(SecurityConfig.class, ResourceEndpoints.class).autowire();
Set<String> scope = Collections.singleton("resource1.read");
String accessToken = generateAccessToken(scope, CLIENT_EC_PUBLIC_KEY);
String accessToken = generateAccessToken(scope, CLIENT_EC_KEY);
String dPoPProof = generateDPoPProof(HttpMethod.GET.name(), "http://localhost/resource1", accessToken);
// @formatter:off
this.mvc.perform(get("/resource1")
@@ -147,7 +148,7 @@ public class DPoPAuthenticationConfigurerTests {
public void requestWhenMultipleDPoPProofsThenUnauthorized() throws Exception {
this.spring.register(SecurityConfig.class, ResourceEndpoints.class).autowire();
Set<String> scope = Collections.singleton("resource1.read");
String accessToken = generateAccessToken(scope, CLIENT_EC_PUBLIC_KEY);
String accessToken = generateAccessToken(scope, CLIENT_EC_KEY);
String dPoPProof = generateDPoPProof(HttpMethod.GET.name(), "http://localhost/resource1", accessToken);
// @formatter:off
this.mvc.perform(get("/resource1")
@@ -164,7 +165,7 @@ public class DPoPAuthenticationConfigurerTests {
public void requestWhenDPoPAuthenticationValidThenAccessed() throws Exception {
this.spring.register(SecurityConfig.class, ResourceEndpoints.class).autowire();
Set<String> scope = Collections.singleton("resource1.read");
String accessToken = generateAccessToken(scope, CLIENT_EC_PUBLIC_KEY);
String accessToken = generateAccessToken(scope, CLIENT_EC_KEY);
String dPoPProof = generateDPoPProof(HttpMethod.GET.name(), "http://localhost/resource1", accessToken);
// @formatter:off
this.mvc.perform(get("/resource1")
@@ -175,11 +176,11 @@ public class DPoPAuthenticationConfigurerTests {
// @formatter:on
}
private static String generateAccessToken(Set<String> scope, PublicKey clientPublicKey) {
private static String generateAccessToken(Set<String> scope, JWK jwk) {
Map<String, Object> jktClaim = null;
if (clientPublicKey != null) {
if (jwk != null) {
try {
String sha256Thumbprint = computeSHA256(clientPublicKey);
String sha256Thumbprint = jwk.toPublicJWK().computeThumbprint().toString();
jktClaim = new HashMap<>();
jktClaim.put("jkt", sha256Thumbprint);
}
@@ -207,10 +208,7 @@ public class DPoPAuthenticationConfigurerTests {
private static String generateDPoPProof(String method, String resourceUri, String accessToken) throws Exception {
// @formatter:off
Map<String, Object> publicJwk = TestJwks.jwk(CLIENT_EC_PUBLIC_KEY, CLIENT_EC_PRIVATE_KEY)
.build()
.toPublicJWK()
.toJSONObject();
Map<String, Object> publicJwk = CLIENT_EC_KEY.toPublicJWK().toJSONObject();
JwsHeader jwsHeader = JwsHeader.with(SignatureAlgorithm.ES256)
.type("dpop+jwt")
.jwk(publicJwk)
@@ -233,12 +231,6 @@ public class DPoPAuthenticationConfigurerTests {
return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
}
private static String computeSHA256(PublicKey publicKey) throws Exception {
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] digest = md.digest(publicKey.getEncoded());
return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
}
@Configuration
@EnableWebSecurity
@EnableWebMvc