spring-projects#2 changes as requested by reviewer

Author: jbellmann

.gitignore

@@ -17,7 +17,6 @@ target/
 .settings
 .springBeans
 .sts4-cache
-bin/
 
 ### IntelliJ IDEA ###
 .idea

samples/boot/minimal/spring-authorization-server-samples-boot-minimal.gradle

@@ -2,13 +2,16 @@ apply plugin: 'io.spring.convention.spring-sample-boot'
 
 dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation 'org.springframework.boot:spring-boot-starter-security'
 
 	implementation 'com.nimbusds:oauth2-oidc-sdk:7.3'
 
 	testImplementation('org.springframework.boot:spring-boot-starter-test') {
 		exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
 	}
 
+    testImplementation 'org.springframework.security:spring-security-test'
+
     testRuntime("org.junit.platform:junit-platform-runner")
     testRuntime("org.junit.jupiter:junit-jupiter-engine")
 }

samples/boot/minimal/src/main/java/sample/JWKSetEndpoint.java

@@ -0,0 +1,72 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample;
+
+import static java.util.Objects.requireNonNull;
+import static org.springframework.http.HttpMethod.GET;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+
+import java.io.IOException;
+import java.io.Writer;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.util.UrlPathHelper;
+
+import com.nimbusds.jose.jwk.JWKSet;
+
+public class JwkSetEndpointFilter extends OncePerRequestFilter {
+
+	static final String WELL_KNOWN_JWK_URIS = "/.well-known/jwk_uris";
+	private final RequestMatcher requestMatcher = new AntPathRequestMatcher(WELL_KNOWN_JWK_URIS, GET.name(), true,
+			new UrlPathHelper());
+
+	private final JWKSet jwkSet;
+
+	public JwkSetEndpointFilter(JWKSet jwkSet) {
+		this.jwkSet = requireNonNull(jwkSet, "jwkSet should not be null");
+	}
+
+	@Override
+	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+			throws ServletException, IOException {
+
+		if (ifRequestMatches(request)) {
+			respond(response);
+		} else {
+			filterChain.doFilter(request, response);
+		}
+	}
+
+	protected void respond(HttpServletResponse response) throws IOException {
+		response.setContentType(APPLICATION_JSON_VALUE);
+		try (Writer writer = response.getWriter()) {
+			writer.write(jwkSet.toPublicJWKSet().toJSONObject().toJSONString());
+		}
+	}
+
+	protected boolean ifRequestMatches(HttpServletRequest request) {
+		return this.requestMatcher.matches(request);
+	}
+
+}

samples/boot/minimal/src/main/java/sample/JwkSetEndpointFilter.java

@@ -16,9 +16,10 @@
 
 package sample;
 
-import org.springframework.boot.web.servlet.FilterRegistrationBean;
-import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.access.channel.ChannelProcessingFilter;
 
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.jwk.JWK;
@@ -27,19 +28,16 @@
 import com.nimbusds.jose.jwk.gen.RSAKeyGenerator;
 
 @Configuration
-public class Config {
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
-    @Bean
-    FilterRegistrationBean<JWKSetEndpoint> registerJWKSetEndpoint() throws JOSEException {
-        FilterRegistrationBean<JWKSetEndpoint> fb = new FilterRegistrationBean<>();
-        fb.setFilter(new JWKSetEndpoint(generateJwkSet()));
-        fb.addUrlPatterns("/*");
-        return fb;
-    }
+	@Override
+	protected void configure(HttpSecurity http) throws Exception {
+		http.addFilterBefore(new JwkSetEndpointFilter(generateJwkSet()), ChannelProcessingFilter.class);
+	}
 
-    protected JWKSet generateJwkSet() throws JOSEException {
-        JWK jwk = new RSAKeyGenerator(2048).keyID("minimal-ASA").keyUse(KeyUse.ENCRYPTION).generate();
-        return new JWKSet(jwk);
-    }
+	protected JWKSet generateJwkSet() throws JOSEException {
+		JWK jwk = new RSAKeyGenerator(2048).keyID("minimal-ASA").keyUse(KeyUse.ENCRYPTION).generate();
+		return new JWKSet(jwk);
+	}
 
 }

samples/boot/minimal/src/main/java/sample/Config.java renamed to samples/boot/minimal/src/main/java/sample/SecurityConfig.java

@@ -22,8 +22,8 @@
 @RestController
 public class FakeController {
 
-    @RequestMapping("/fake")
-    public String hello() {
-        return "fake";
-    }
+	@RequestMapping("/fake")
+	public String hello() {
+		return "fake";
+	}
 }

samples/boot/minimal/src/test/java/sample/FakeController.java

@@ -0,0 +1,83 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.springframework.http.HttpMethod.GET;
+import static org.springframework.http.HttpMethod.POST;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static sample.JwkSetEndpointFilter.WELL_KNOWN_JWK_URIS;
+
+import org.hamcrest.Matchers;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestInstance;
+import org.junit.jupiter.api.TestInstance.Lifecycle;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.jwk.JWK;
+import com.nimbusds.jose.jwk.JWKSet;
+import com.nimbusds.jose.jwk.KeyUse;
+import com.nimbusds.jose.jwk.gen.RSAKeyGenerator;
+
+@TestInstance(Lifecycle.PER_CLASS)
+public class JwkSetEndpointFilterTest {
+
+	private MockMvc mvc;
+	private JWKSet jwkSet;
+	private JWK jwk;
+	private JwkSetEndpointFilter filter;
+
+	@BeforeAll
+	void setup() throws JOSEException {
+		this.jwk = new RSAKeyGenerator(2048).keyID("endpoint-test").keyUse(KeyUse.ENCRYPTION).generate();
+		this.jwkSet = new JWKSet(jwk);
+		this.filter = new JwkSetEndpointFilter(jwkSet);
+		this.mvc = MockMvcBuilders.standaloneSetup(new FakeController()).addFilters(filter)
+				.alwaysDo(print()).build();
+	}
+
+	@Test
+	void testRequestMatcher() {
+		assertTrue(this.filter.ifRequestMatches(new MockHttpServletRequest(GET.name(), WELL_KNOWN_JWK_URIS)));
+
+		assertFalse(this.filter.ifRequestMatches(new MockHttpServletRequest(POST.name(), WELL_KNOWN_JWK_URIS)));
+		assertFalse(this.filter.ifRequestMatches(new MockHttpServletRequest(GET.name(), "/stuff" + WELL_KNOWN_JWK_URIS)));
+	}
+
+	@Test
+	void testResponseIfRequestMatches() throws Exception {
+		mvc.perform(get(WELL_KNOWN_JWK_URIS)).andDo(print()).andExpect(status().isOk())
+				.andExpect(jsonPath("$.keys").isArray()).andExpect(jsonPath("$.keys").isNotEmpty())
+				.andExpect(jsonPath("$.keys[0].kid").value(jwk.getKeyID()))
+				.andExpect(jsonPath("$.keys[0].kty").value(jwk.getKeyType().toString()));
+	}
+
+	@Test
+	void testResponseIfNotRequestMatches() throws Exception {
+		mvc.perform(get("/fake")).andDo(print()).andExpect(status().isOk())
+				.andExpect(content().string(Matchers.is("fake")));
+	}
+}