ResourceServerConfigurer on Auth0 Sample

Reconfigured the auth0 sample to use the Resource Server Configurer.

Note that this uncovered a problem with BearerTokenErrorHandler where
is was calling sendError instead of setStatus. The contract of
sendError indicates that it converts the content type to text/html and
allows the container to send an html error response with the given
message.

Calling setStatus seems more apppropriate in our case.

Issue: spring-projects/spring-security#5125

Author: jzheaux

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/resourceserver/BearerTokenErrorHandler.java

@@ -87,7 +87,7 @@ protected void handle(
 					.collect(Collectors.joining(", ", " ", ""));
 		}
 		response.addHeader(HttpHeaders.WWW_AUTHENTICATE, wwwAuthenticate);
-		response.sendError(httpStatus.value(), httpStatus.getReasonPhrase());
+		response.setStatus(httpStatus.value());
 	}
 
 	public void setRealmName(String realmName) {

samples/boot/oauth2/resource-server/auth0/src/main/java/sample/Auth0JwtDecoderJwkSupport.java renamed to samples/boot/oauth2/resource-server/auth0/src/main/java/sample/Auth0JwtDecoder.java

@@ -34,10 +34,10 @@
 /**
  * @author Josh Cummings
  */
-public class Auth0JwtDecoderJwkSupport implements JwtDecoder {
+public class Auth0JwtDecoder implements JwtDecoder {
 	private JWTVerifier verifier;
 
-	public Auth0JwtDecoderJwkSupport(JWTVerifier verifier) {
+	public Auth0JwtDecoder(JWTVerifier verifier) {
 		this.verifier = verifier;
 	}
 

samples/boot/oauth2/resource-server/auth0/src/main/java/sample/MessageController.java

@@ -43,6 +43,7 @@ public Message findOne(@PathVariable Long id) {
 
 	@PostMapping
 	public Message save(@Valid @RequestBody Message message) {
-		return this.messages.save(message);
+		Message n = this.messages.save(message);
+		return n;
 	}
 }

samples/boot/oauth2/resource-server/auth0/src/main/java/sample/MessagesApplication.java

@@ -19,90 +19,56 @@
 import com.auth0.jwt.JWTVerifier;
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.interfaces.RSAKeyProvider;
+import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.BeanFactory;
+import org.springframework.beans.factory.BeanFactoryAware;
+import org.springframework.beans.factory.config.ConfigurableBeanFactory;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.Bean;
-import org.springframework.http.HttpStatus;
-import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.authentication.AuthenticationProvider;
-import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.oauth2.resourceserver.ResourceServerConfigurer;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
-import org.springframework.security.oauth2.resourceserver.access.expression.OAuth2ResourceServerExpressions;
-import org.springframework.security.oauth2.resourceserver.access.expression.OAuth2Expressions;
-import org.springframework.security.oauth2.resourceserver.authentication.JwtAccessTokenAuthenticationProvider;
-import org.springframework.security.oauth2.resourceserver.authentication.JwtAccessTokenVerifier;
-import org.springframework.security.oauth2.resourceserver.web.BearerTokenAuthenticationFilter;
-import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.security.web.authentication.HttpStatusEntryPoint;
-import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 
 import java.io.InputStream;
-import java.util.Arrays;
 
 @SpringBootApplication
-public class MessagesApplication {
+public class MessagesApplication implements BeanFactoryAware {
+
+	private ConfigurableBeanFactory beanFactory;
+
+	@Override
+	public void setBeanFactory(BeanFactory beanFactory) throws BeansException {
+		if ( beanFactory instanceof ConfigurableBeanFactory ) {
+			this.beanFactory = (ConfigurableBeanFactory) beanFactory;
+		}
+	}
 
 	@EnableGlobalMethodSecurity(prePostEnabled = true)
 	class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
-			http
-				.addFilterAfter(
-					oauthResourceAuthenticationFilter(),
-					BasicAuthenticationFilter.class)
-				.exceptionHandling()
-				.authenticationEntryPoint(restAuthenticationEntryPoint()).and()
-				.authorizeRequests()
-				.anyRequest().authenticated().and()
-				.csrf().disable();
-		}
-	}
-
-
-
-	@Bean
-	public OAuth2Expressions oauth2() {
-		return new OAuth2ResourceServerExpressions();
-	}
 
-	// @Bean -- We don't want this to get wired by Spring Boot as a servlet-level filter
-	// Is there a more clever way to do this?
-	BearerTokenAuthenticationFilter oauthResourceAuthenticationFilter() {
-		BearerTokenAuthenticationFilter filter =
-			new BearerTokenAuthenticationFilter(authenticationManager());
+			resourceServer()
+					.jwt(jwtDecoder())
 
-		return filter;
-	}
-
-	@Bean
-	AuthenticationManager authenticationManager() {
-		return new ProviderManager(
-			Arrays.asList(oauthResourceAuthenticationProvider())
-		);
-	}
+				.and().apply(http);
+		}
 
-	@Bean
-	AuthenticationProvider oauthResourceAuthenticationProvider() {
-		JwtAccessTokenAuthenticationProvider provider =
-			new JwtAccessTokenAuthenticationProvider(jwtDecoder(), new JwtAccessTokenVerifier());
+		protected ResourceServerConfigurer resourceServer() {
+			return new ResourceServerConfigurer(MessagesApplication.this.beanFactory);
+		}
 
-		return provider;
 	}
 
 	@Bean
 	JwtDecoder jwtDecoder() {
 		InputStream is = this.getClass().getClassLoader().getResourceAsStream("id_rsa.pub");
 		RSAKeyProvider provider = new PemParsingPublicKeyOnlyRSAKeyProvider(is);
 		JWTVerifier verifier = JWT.require(Algorithm.RSA256(provider)).withIssuer("rob").build();
-		return new Auth0JwtDecoderJwkSupport(verifier);
-	}
-
-	@Bean
-	AuthenticationEntryPoint restAuthenticationEntryPoint() {
-		return new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED);
+		return new Auth0JwtDecoder(verifier);
 	}
 
 	public static void main(String[] args) {

samples/boot/oauth2/resource-server/auth0/src/test/java/sample/Auth0JwtDecoderJwkSupportTests.java renamed to samples/boot/oauth2/resource-server/auth0/src/test/java/sample/Auth0JwtDecoderTests.java

@@ -29,7 +29,7 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
-public class Auth0JwtDecoderJwkSupportTests {
+public class Auth0JwtDecoderTests {
 	@Test
 	public void whenSignatureAndIssuerValid_thenDecodeToken() throws IOException {
 		String goodToken = "eyJraWQiOiIxMjMiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzY29wZSI6Im1lc3NhZ2UucmVhZCIsImlzcyI6InJvYiIsImV4cCI6MjE0NzQwNzIwMCwiaWF0IjoxNTE2MjU1MjAwfQ.XJ8d6fQpo53eH_8nduS7rZOB9szHkVTYkZgzfpF3s6dq0DH-ovgFWBE1evfIXHTQwpAil1X856lp_mvJH0pWVXjM2jM5g_qMGen25210-9R9A94ShiM3iSeMAozHl2L6nmdifJR9Na0fWPo4rogB6_N0GoBG2haaB9yU2r925hw";
@@ -63,7 +63,7 @@ public void whenExpired_thenTokenExpiredException() throws IOException {
 			.isInstanceOf(JwtException.class);
 	}
 
-	protected Auth0JwtDecoderJwkSupport defaultVerifier() throws IOException {
+	protected Auth0JwtDecoder defaultVerifier() throws IOException {
 		InputStream is = this.getClass()
 			.getClassLoader().getResourceAsStream("id_rsa.pub");
 
@@ -72,6 +72,6 @@ protected Auth0JwtDecoderJwkSupport defaultVerifier() throws IOException {
 
 		JWTVerifier verifier = JWT.require(Algorithm.RSA256(key)).withIssuer("rob").build();
 
-		return new Auth0JwtDecoderJwkSupport(verifier);
+		return new Auth0JwtDecoder(verifier);
 	}
 }

samples/boot/oauth2/resource-server/auth0/src/test/java/sample/MessagesApplicationTests.java

@@ -20,6 +20,7 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.test.web.client.TestRestTemplate;
 import org.springframework.http.HttpEntity;
@@ -28,13 +29,18 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.servlet.MockMvc;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
 @RunWith(SpringRunner.class)
 @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+@AutoConfigureMockMvc
 public class MessagesApplicationTests {
 
+	@Autowired
+	MockMvc mvc;
+
 	@Autowired
 	TestRestTemplate rest;
 
@@ -58,7 +64,7 @@ public void setUp() throws Exception {
 	}
 
 	@Test
-	public void whenProperAuthorizationHeader_thenAllowBoth() {
+	public void whenProperAuthorizationHeader_thenAllowBoth() throws Exception {
 		Message toSave = new Message("New");
 
 		ResponseEntity<Message> response = postForMessage("/messages", this.messageBothAuthority, toSave);