Class JwtIssuerAuthenticationManagerResolver
java.lang.Object
org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver
- All Implemented Interfaces:
org.springframework.security.authentication.AuthenticationManagerResolver<jakarta.servlet.http.HttpServletRequest>
public final class JwtIssuerAuthenticationManagerResolver
extends Object
implements org.springframework.security.authentication.AuthenticationManagerResolver<jakarta.servlet.http.HttpServletRequest>
An implementation of
AuthenticationManagerResolver that resolves a JWT-based
AuthenticationManager based on the Issuer in
a signed JWT (JWS).
To use, this class must be able to determine whether the `iss` claim is trusted. Recall
that anyone can stand up an authorization server and issue valid tokens to a resource
server. The simplest way to achieve this is to supply a set of trusted issuers in the
constructor.
This class derives the Issuer from the `iss` claim found in the
HttpServletRequest's
Bearer
Token.- Since:
- 5.3
-
Constructor Summary
ConstructorsConstructorDescriptionJwtIssuerAuthenticationManagerResolver(String... trustedIssuers) Deprecated, for removal: This API element is subject to removal in a future version.JwtIssuerAuthenticationManagerResolver(Collection<String> trustedIssuers) Deprecated, for removal: This API element is subject to removal in a future version.JwtIssuerAuthenticationManagerResolver(org.springframework.security.authentication.AuthenticationManagerResolver<String> issuerAuthenticationManagerResolver) Construct aJwtIssuerAuthenticationManagerResolverusing the provided parameters Note that theAuthenticationManagerResolverprovided in this constructor will need to verify that the issuer is trusted. -
Method Summary
Modifier and TypeMethodDescriptionfromTrustedIssuers(String... trustedIssuers) Construct aJwtIssuerAuthenticationManagerResolverusing the provided parametersfromTrustedIssuers(Collection<String> trustedIssuers) Construct aJwtIssuerAuthenticationManagerResolverusing the provided parametersfromTrustedIssuers(Predicate<String> trustedIssuers) Construct aJwtIssuerAuthenticationManagerResolverusing the provided parametersorg.springframework.security.authentication.AuthenticationManagerresolve(jakarta.servlet.http.HttpServletRequest request) Return anAuthenticationManagerbased off of the `iss` claim found in the request's bearer token
-
Constructor Details
-
JwtIssuerAuthenticationManagerResolver
@Deprecated(since="6.2", forRemoval=true) public JwtIssuerAuthenticationManagerResolver(String... trustedIssuers) Deprecated, for removal: This API element is subject to removal in a future version.Construct aJwtIssuerAuthenticationManagerResolverusing the provided parameters- Parameters:
trustedIssuers- an array of trusted issuers
-
JwtIssuerAuthenticationManagerResolver
@Deprecated(since="6.2", forRemoval=true) public JwtIssuerAuthenticationManagerResolver(Collection<String> trustedIssuers) Deprecated, for removal: This API element is subject to removal in a future version.Construct aJwtIssuerAuthenticationManagerResolverusing the provided parameters- Parameters:
trustedIssuers- a collection of trusted issuers
-
JwtIssuerAuthenticationManagerResolver
public JwtIssuerAuthenticationManagerResolver(org.springframework.security.authentication.AuthenticationManagerResolver<String> issuerAuthenticationManagerResolver) Construct aJwtIssuerAuthenticationManagerResolverusing the provided parameters Note that theAuthenticationManagerResolverprovided in this constructor will need to verify that the issuer is trusted. This should be done via an allowed set of issuers. One way to achieve this is with aMapwhere the keys are the known issuers:Map<String, AuthenticationManager> authenticationManagers = new HashMap<>(); authenticationManagers.put("https://issuerOne.example.org", managerOne); authenticationManagers.put("https://issuerTwo.example.org", managerTwo); JwtAuthenticationManagerResolver resolver = new JwtAuthenticationManagerResolver (authenticationManagers::get);The keys in theMapare the allowed issuers.- Parameters:
issuerAuthenticationManagerResolver- a strategy for resolving theAuthenticationManagerby the issuer
-
-
Method Details
-
fromTrustedIssuers
Construct aJwtIssuerAuthenticationManagerResolverusing the provided parameters- Parameters:
trustedIssuers- an array of trusted issuers- Since:
- 6.2
-
fromTrustedIssuers
public static JwtIssuerAuthenticationManagerResolver fromTrustedIssuers(Collection<String> trustedIssuers) Construct aJwtIssuerAuthenticationManagerResolverusing the provided parameters- Parameters:
trustedIssuers- a collection of trusted issuers- Since:
- 6.2
-
fromTrustedIssuers
public static JwtIssuerAuthenticationManagerResolver fromTrustedIssuers(Predicate<String> trustedIssuers) Construct aJwtIssuerAuthenticationManagerResolverusing the provided parameters- Parameters:
trustedIssuers- a predicate to validate issuers- Since:
- 6.2
-
resolve
public org.springframework.security.authentication.AuthenticationManager resolve(jakarta.servlet.http.HttpServletRequest request) Return anAuthenticationManagerbased off of the `iss` claim found in the request's bearer token- Specified by:
resolvein interfaceorg.springframework.security.authentication.AuthenticationManagerResolver<jakarta.servlet.http.HttpServletRequest>- Throws:
org.springframework.security.oauth2.core.OAuth2AuthenticationException- if the bearer token is malformed or anAuthenticationManagercan't be derived from the issuer
-
fromTrustedIssuers(String...)