Add configurable property for JWK encryption algorithm

ayudovin · snicoll · commit 460fdaf52f9e · 2018-12-03T11:35:10.000+01:00
See gh-15145
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/OAuth2ResourceServerProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/OAuth2ResourceServerProperties.java
@@ -40,6 +40,11 @@ public static class Jwt {
 		 */
 		private String jwkSetUri;
 
+		/**
+		 * JSON Web Algorithm used for verifying the digital signatures.
+		 */
+		private String jwsAlgorithm = "RS256";
+
 		/**
 		 * URI that an OpenID Connect Provider asserts as its Issuer Identifier.
 		 */
@@ -53,6 +58,14 @@ public void setJwkSetUri(String jwkSetUri) {
 			this.jwkSetUri = jwkSetUri;
 		}
 
+		public String getJwsAlgorithm() {
+			return this.jwsAlgorithm;
+		}
+
+		public void setJwsAlgorithm(String jwsAlgorithm) {
+			this.jwsAlgorithm = jwsAlgorithm;
+		}
+
 		public String getIssuerUri() {
 			return this.issuerUri;
 		}
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwkConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwkConfiguration.java
@@ -46,7 +46,8 @@ class OAuth2ResourceServerJwkConfiguration {
 	@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.jwt.jwk-set-uri")
 	@ConditionalOnMissingBean
 	public JwtDecoder jwtDecoderByJwkKeySetUri() {
-		return new NimbusJwtDecoderJwkSupport(this.properties.getJwt().getJwkSetUri());
+		return new NimbusJwtDecoderJwkSupport(this.properties.getJwt().getJwkSetUri(),
+				this.properties.getJwt().getJwsAlgorithm());
 	}
 
 	@Bean
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerAutoConfigurationTests.java
@@ -22,6 +22,7 @@
 
 import javax.servlet.Filter;
 
+import com.nimbusds.jose.JWSAlgorithm;
 import okhttp3.mockwebserver.MockResponse;
 import okhttp3.mockwebserver.MockWebServer;
 import org.junit.After;
@@ -78,8 +79,26 @@ public void autoConfigurationShouldConfigureResourceServer() {
 		this.contextRunner.withPropertyValues(
 				"spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://jwk-set-uri.com")
 				.run((context) -> {
-					assertThat(context.getBean(JwtDecoder.class))
-							.isInstanceOf(NimbusJwtDecoderJwkSupport.class);
+					JwtDecoder jwtDecoder = context.getBean(JwtDecoder.class);
+					assertThat(jwtDecoder).isInstanceOf(NimbusJwtDecoderJwkSupport.class);
+					NimbusJwtDecoderJwkSupport decoder = (NimbusJwtDecoderJwkSupport) jwtDecoder;
+					assertThat(decoder).hasFieldOrPropertyWithValue("jwsAlgorithm",
+							JWSAlgorithm.RS256);
+					assertThat(getBearerTokenFilter(context)).isNotNull();
+				});
+	}
+
+	@Test
+	public void autoConfigurationShouldConfigureResourceServerWithJwsAlgotihms() {
+		this.contextRunner.withPropertyValues(
+				"spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://jwk-set-uri.com",
+				"spring.security.oauth2.resourceserver.jwt.jws-algorithm=HS512")
+				.run((context) -> {
+					JwtDecoder jwtDecoder = context.getBean(JwtDecoder.class);
+					assertThat(jwtDecoder).isInstanceOf(NimbusJwtDecoderJwkSupport.class);
+					NimbusJwtDecoderJwkSupport decoder = (NimbusJwtDecoderJwkSupport) jwtDecoder;
+					assertThat(decoder).hasFieldOrPropertyWithValue("jwsAlgorithm",
+							JWSAlgorithm.HS512);
 					assertThat(getBearerTokenFilter(context)).isNotNull();
 				});
 	}
diff --git a/spring-boot-project/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc b/spring-boot-project/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
@@ -547,6 +547,7 @@ content into your application. Rather, pick only the properties that you need.
 
 	# SECURITY OAUTH2 RESOURCE SERVER ({sc-spring-boot-autoconfigure}/security/oauth2/resource/OAuth2ResourceServerProperties.{sc-ext}[OAuth2ResourceServerProperties])
 	spring.security.oauth2.resourceserver.jwt.jwk-set-uri= # JSON Web Key URI to use to verify the JWT token.
+    spring.security.oauth2.resourceserver.jwt.jws-algorithm= # JSON Web Algorithm used for verifying the digital signatures.
     spring.security.oauth2.resourceserver.jwt.issuer-uri= # URI that an OpenID Connect Provider asserts as its Issuer Identifier.
 
 	# ----------------------------------------

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,8 @@ class OAuth2ResourceServerJwkConfiguration {`
`46`	`46`	`@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.jwt.jwk-set-uri")`
`47`	`47`	`@ConditionalOnMissingBean`
`48`	`48`	`public JwtDecoder jwtDecoderByJwkKeySetUri() {`
`49`		`- return new NimbusJwtDecoderJwkSupport(this.properties.getJwt().getJwkSetUri());`
	`49`	`+ return new NimbusJwtDecoderJwkSupport(this.properties.getJwt().getJwkSetUri(),`
	`50`	`+ this.properties.getJwt().getJwsAlgorithm());`
`50`	`51`	`}`
`51`	`52`
`52`	`53`	`@Bean`