Provide Bearer Token resolving strategy

This commit creates oauth2-resource-server module and provides a strategy for resolving Bearer Token from HTTP request together with default implementation that aligns with RFC 6750.

Closes spring-projectsgh-5121

Author: vpavic

oauth2/oauth2-resource-server/spring-security-oauth2-resource-server.gradle

@@ -0,0 +1,13 @@
+apply plugin: 'io.spring.convention.spring-module'
+
+dependencies {
+	compile project(':spring-security-core')
+	compile project(':spring-security-oauth2-core')
+	compile project(':spring-security-web')
+	compile springCoreDependency
+	compile 'com.nimbusds:oauth2-oidc-sdk'
+
+	optional project(':spring-security-oauth2-jose')
+
+	provided 'javax.servlet:javax.servlet-api'
+}

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/BearerTokenAuthenticationException.java

@@ -0,0 +1,65 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.resource;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.util.Assert;
+
+/**
+ * This exception is thrown for all Bearer Token related {@link Authentication} errors.
+ *
+ * @author Vedran Pavic
+ * @since 5.1
+ * @see <a href="https://tools.ietf.org/html/rfc6750#section-3" target="_blank">RFC 6750 Section 3: The WWW-Authenticate Response Header Field</a>
+ */
+public class BearerTokenAuthenticationException extends AuthenticationException {
+
+	private final BearerTokenError error;
+
+	/**
+	 * Create a new {@link BearerTokenAuthenticationException}.
+	 * @param error the {@link BearerTokenError Bearer Token Error}
+	 * @param message the detail message
+	 * @param cause the root cause
+	 */
+	public BearerTokenAuthenticationException(BearerTokenError error, String message, Throwable cause) {
+		super(message, cause);
+		Assert.notNull(error, "error must not be null");
+		this.error = error;
+	}
+
+	/**
+	 * Create a new {@link BearerTokenAuthenticationException}.
+	 * @param error the {@link BearerTokenError Bearer Token Error}
+	 * @param message the detail message
+	 */
+	public BearerTokenAuthenticationException(BearerTokenError error, String message) {
+		super(message);
+		Assert.notNull(error, "error must not be null");
+		this.error = error;
+	}
+
+	/**
+	 * Return the Bearer Token error
+	 * @return the error
+	 */
+	public BearerTokenError getError() {
+		return error;
+	}
+
+}

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/BearerTokenError.java

@@ -0,0 +1,104 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.resource;
+
+import java.io.Serializable;
+
+import org.springframework.security.core.SpringSecurityCoreVersion;
+import org.springframework.util.Assert;
+
+/**
+ * A representation of an Bearer Token Error.
+ *
+ * @author Vedran Pavic
+ * @since 5.1
+ * @see BearerTokenErrorCodes
+ * @see <a href="https://tools.ietf.org/html/rfc6750#section-3" target="_blank">RFC 6750 Section 3: The WWW-Authenticate Response Header Field</a>
+ */
+public final class BearerTokenError implements Serializable {
+
+	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+
+	private final String errorCode;
+
+	private final String description;
+
+	private final String uri;
+
+	private final String scope;
+
+	/**
+	 * Create a {@code BearerTokenError} using the provided parameters.
+	 * @param errorCode the error code
+	 */
+	public BearerTokenError(String errorCode) {
+		this(errorCode, null, null, null);
+	}
+
+	/**
+	 * Create a {@code BearerTokenError} using the provided parameters.
+	 * @param errorCode the error code
+	 * @param description the description
+	 * @param uri the URI
+	 * @param scope the scope
+	 */
+	public BearerTokenError(String errorCode, String description, String uri, String scope) {
+		Assert.hasText(errorCode, "errorCode must not be empty");
+		this.errorCode = errorCode;
+		this.description = description;
+		this.uri = uri;
+		this.scope = scope;
+	}
+
+	/**
+	 * Return the error code.
+	 * @return the error code
+	 */
+	public String getErrorCode() {
+		return this.errorCode;
+	}
+
+	/**
+	 * Return the description.
+	 * @return the description
+	 */
+	public String getDescription() {
+		return this.description;
+	}
+
+	/**
+	 * Return the URI.
+	 * @return the URI
+	 */
+	public String getUri() {
+		return this.uri;
+	}
+
+	/**
+	 * Return the scope.
+	 * @return the scope
+	 */
+	public String getScope() {
+		return scope;
+	}
+
+	@Override
+	public String toString() {
+		return "[" + this.getErrorCode() + "]" + (this.description != null ? " " + this.description : "");
+	}
+
+}

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/BearerTokenErrorCodes.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.resource;
+
+/**
+ * Standard error codes defined by the OAuth 2.0 Authorization Framework: Bearer Token Usage.
+ *
+ * @author Vedran Pavic
+ * @since 5.1
+ * @see <a href="https://tools.ietf.org/html/rfc6750#section-3.1" target="_blank">RFC 6750 Section 3.1: Error Codes</a>
+ */
+public interface BearerTokenErrorCodes {
+
+	/**
+	 * {@code invalid_request} - The request is missing a required parameter, includes an unsupported parameter or
+	 * parameter value, repeats the same parameter, uses more than one method for including an access token, or is
+	 * otherwise malformed.
+	 */
+	String INVALID_REQUEST = "invalid_request";
+
+	/**
+	 * {@code invalid_token} - The access token provided is expired, revoked, malformed, or invalid for other
+	 * reasons.
+	 */
+	String INVALID_TOKEN = "invalid_token";
+
+	/**
+	 * {@code insufficient_scope} - The request requires higher privileges than provided by the access token.
+	 */
+	String INSUFFICIENT_SCOPE = "insufficient_scope";
+
+}

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/package-info.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * OAuth 2.0 Resource Server core classes and interfaces providing support.
+ */
+package org.springframework.security.oauth2.server.resource;

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/BearerTokenResolver.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.resource.web;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * A strategy for resolving Bearer Token from the {@link HttpServletRequest}.
+ *
+ * @author Vedran Pavic
+ * @since 5.1
+ * @see <a href="https://tools.ietf.org/html/rfc6750#section-2" target="_blank">RFC 6750 Section 2: Authenticated Requests</a>
+ */
+public interface BearerTokenResolver {
+
+	/**
+	 * Resolve the Bearer Token value from the request.
+	 * @param request the request
+	 * @return the Bearer Token value
+	 */
+	String resolve(HttpServletRequest request);
+
+}

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java

@@ -0,0 +1,93 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.resource.web;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationException;
+import org.springframework.security.oauth2.server.resource.BearerTokenError;
+import org.springframework.security.oauth2.server.resource.BearerTokenErrorCodes;
+import org.springframework.util.StringUtils;
+
+/**
+ * The default {@link BearerTokenResolver} implementation based on RFC 6750.
+ *
+ * @author Vedran Pavic
+ * @since 5.1
+ * @see <a href="https://tools.ietf.org/html/rfc6750#section-2" target="_blank">RFC 6750 Section 2: Authenticated Requests</a>
+ */
+public final class DefaultBearerTokenResolver implements BearerTokenResolver {
+
+	private static final Pattern authorizationPattern = Pattern.compile("^Bearer (?<token>[^\\s]+)*$");
+
+	private boolean useFormEncodedBodyParameter = false;
+
+	private boolean useUriQueryParameter = false;
+
+	@Override
+	public String resolve(HttpServletRequest request) {
+		String authorizationHeaderToken = resolveFromAuthorizationHeader(request);
+		String parameterToken = request.getParameter("access_token");
+		if (authorizationHeaderToken != null) {
+			if (parameterToken != null) {
+				BearerTokenError error = new BearerTokenError(BearerTokenErrorCodes.INVALID_REQUEST);
+				throw new BearerTokenAuthenticationException(error, error.toString());
+			}
+			return authorizationHeaderToken;
+		}
+		else if (parameterToken != null && isParameterTokenSupportedForRequest(request)) {
+			return parameterToken;
+		}
+		return null;
+	}
+
+	/**
+	 * Set if transport of access token using form-encoded body parameter is supported. Defaults to {@code false}.
+	 * @param useFormEncodedBodyParameter if the form-encoded body parameter is supported
+	 */
+	public void setUseFormEncodedBodyParameter(boolean useFormEncodedBodyParameter) {
+		this.useFormEncodedBodyParameter = useFormEncodedBodyParameter;
+	}
+
+	/**
+	 * Set if transport of access token using URI query parameter is supported. Defaults to {@code false}.
+	 * @param useUriQueryParameter if the URI query parameter is supported
+	 */
+	public void setUseUriQueryParameter(boolean useUriQueryParameter) {
+		this.useUriQueryParameter = useUriQueryParameter;
+	}
+
+	private static String resolveFromAuthorizationHeader(HttpServletRequest request) {
+		String authorization = request.getHeader("Authorization");
+		if (StringUtils.hasText(authorization)) {
+			Matcher matcher = authorizationPattern.matcher(authorization);
+			if (matcher.matches()) {
+				return matcher.group("token");
+			}
+		}
+		return null;
+	}
+
+	private boolean isParameterTokenSupportedForRequest(HttpServletRequest request) {
+		return ((this.useFormEncodedBodyParameter && "POST".equals(request.getMethod()))
+				|| (this.useUriQueryParameter && "GET".equals(request.getMethod())));
+	}
+
+}