public final class JwtIssuerAuthenticationManagerResolver
extends java.lang.Object
implements org.springframework.security.authentication.AuthenticationManagerResolver<javax.servlet.http.HttpServletRequest>
AuthenticationManagerResolver that resolves a JWT-based
AuthenticationManager based on the Issuer in
a signed JWT (JWS).
To use, this class must be able to determine whether or not the `iss` claim is trusted.
Recall that anyone can stand up an authorization server and issue valid tokens to a
resource server. The simplest way to achieve this is to supply a list of trusted
issuers in the constructor.
This class derives the Issuer from the `iss` claim found in the
HttpServletRequest's
Bearer
Token.| Constructor and Description |
|---|
JwtIssuerAuthenticationManagerResolver(org.springframework.security.authentication.AuthenticationManagerResolver<java.lang.String> issuerAuthenticationManagerResolver)
Construct a
JwtIssuerAuthenticationManagerResolver using the provided
parameters
Note that the AuthenticationManagerResolver provided in this constructor
will need to verify that the issuer is trusted. |
JwtIssuerAuthenticationManagerResolver(java.util.Collection<java.lang.String> trustedIssuers)
Construct a
JwtIssuerAuthenticationManagerResolver using the provided
parameters |
JwtIssuerAuthenticationManagerResolver(java.lang.String... trustedIssuers)
Construct a
JwtIssuerAuthenticationManagerResolver using the provided
parameters |
| Modifier and Type | Method and Description |
|---|---|
org.springframework.security.authentication.AuthenticationManager |
resolve(javax.servlet.http.HttpServletRequest request)
Return an
AuthenticationManager based off of the `iss` claim found in the
request's bearer token |
public JwtIssuerAuthenticationManagerResolver(java.lang.String... trustedIssuers)
JwtIssuerAuthenticationManagerResolver using the provided
parameterstrustedIssuers - a list of trusted issuerspublic JwtIssuerAuthenticationManagerResolver(java.util.Collection<java.lang.String> trustedIssuers)
JwtIssuerAuthenticationManagerResolver using the provided
parameterstrustedIssuers - a list of trusted issuerspublic JwtIssuerAuthenticationManagerResolver(org.springframework.security.authentication.AuthenticationManagerResolver<java.lang.String> issuerAuthenticationManagerResolver)
JwtIssuerAuthenticationManagerResolver using the provided
parameters
Note that the AuthenticationManagerResolver provided in this constructor
will need to verify that the issuer is trusted. This should be done via an
allowlist.
One way to achieve this is with a Map where the keys are the known issuers:
Map<String, AuthenticationManager> authenticationManagers = new HashMap<>();
authenticationManagers.put("https://issuerOne.example.org", managerOne);
authenticationManagers.put("https://issuerTwo.example.org", managerTwo);
JwtAuthenticationManagerResolver resolver = new JwtAuthenticationManagerResolver
(authenticationManagers::get);
The keys in the Map are the allowed issuers.issuerAuthenticationManagerResolver - a strategy for resolving the
AuthenticationManager by the issuerpublic org.springframework.security.authentication.AuthenticationManager resolve(javax.servlet.http.HttpServletRequest request)
AuthenticationManager based off of the `iss` claim found in the
request's bearer tokenresolve in interface org.springframework.security.authentication.AuthenticationManagerResolver<javax.servlet.http.HttpServletRequest>org.springframework.security.oauth2.core.OAuth2AuthenticationException - if the bearer token is malformed or an
AuthenticationManager can't be derived from the issuer