Polish gh-17202

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DPoPAuthenticationEntryPoint.java

@@ -33,6 +33,16 @@ import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.util.StringUtils;
 
+/**
+ * An {@link AuthenticationEntryPoint} implementation used to commence authentication for
+ * DPoP-protected resource requests.
+ *
+ * @author Joe Grandja
+ * @author Max Batischev
+ * @since 7.1
+ * @see <a href="https://datatracker.ietf.org/doc/html/rfc9449#section-7.1" target=
+ * "_blank">RFC 9449 Section 7.1. The DPoP Authentication Scheme</a>
+ */
 public final class DPoPAuthenticationEntryPoint implements AuthenticationEntryPoint {
 
 	@Override

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DPoPRequestMatcher.java

@@ -1,37 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.oauth2.server.resource.web;
-
-import jakarta.servlet.http.HttpServletRequest;
-
-import org.springframework.http.HttpHeaders;
-import org.springframework.security.oauth2.core.OAuth2AccessToken;
-import org.springframework.security.web.util.matcher.RequestMatcher;
-import org.springframework.util.StringUtils;
-
-public final class DPoPRequestMatcher implements RequestMatcher {
-
-	@Override
-	public boolean matches(HttpServletRequest request) {
-		String authorization = request.getHeader(HttpHeaders.AUTHORIZATION);
-		if (!StringUtils.hasText(authorization)) {
-			return false;
-		}
-		return StringUtils.startsWithIgnoreCase(authorization, OAuth2AccessToken.TokenType.DPOP.getValue());
-	}
-
-}

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/authentication/DPoPAuthenticationConverter.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.security.oauth2.server.resource.authentication;
+package org.springframework.security.oauth2.server.resource.web.authentication;
 
 import java.util.Collections;
 import java.util.List;
@@ -30,10 +30,22 @@ import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationToken;
 import org.springframework.security.web.authentication.AuthenticationConverter;
 import org.springframework.util.CollectionUtils;
 import org.springframework.util.StringUtils;
 
+/**
+ * Attempts to extract a DPoP-bound access token from {@link HttpServletRequest} and then
+ * converts it to a {@link DPoPAuthenticationToken} used for authenticating the
+ * DPoP-protected resource request.
+ *
+ * @author Joe Grandja
+ * @author Max Batischev
+ * @since 7.1
+ * @see AuthenticationConverter
+ * @see DPoPAuthenticationToken
+ */
 public final class DPoPAuthenticationConverter implements AuthenticationConverter {
 
 	private static final Pattern AUTHORIZATION_PATTERN = Pattern.compile("^DPoP (?<token>[a-zA-Z0-9-._~+/]+=*)$",