Avoid ClassCastException if principalClaim value is not a String

olivier.antoine · jzheaux · commit 808b8c32563c · 2020-12-02T16:15:10.000-07:00
Closes gh-9212
diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationConverter.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationConverter.java
@@ -29,6 +29,7 @@
  * @author Rob Winch
  * @author Josh Cummings
  * @author Evgeniy Cheban
+ * @author Olivier Antoine
  * @since 5.1
  */
 public class JwtAuthenticationConverter implements Converter<Jwt, AbstractAuthenticationToken> {
@@ -43,8 +44,8 @@ public final AbstractAuthenticationToken convert(Jwt jwt) {
 		if (this.principalClaimName == null) {
 			return new JwtAuthenticationToken(jwt, authorities);
 		}
-		String name = jwt.getClaim(this.principalClaimName);
-		return new JwtAuthenticationToken(jwt, authorities, name);
+		String principalClaimValue = jwt.getClaimAsString(this.principalClaimName);
+		return new JwtAuthenticationToken(jwt, authorities, principalClaimValue);
 	}
 
 	/**
diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationConverterTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationConverterTests.java
@@ -36,6 +36,7 @@
  *
  * @author Josh Cummings
  * @author Evgeniy Cheban
+ * @author Olivier Antoine
  */
 public class JwtAuthenticationConverterTests {
 
@@ -103,4 +104,12 @@ public void convertWhenPrincipalClaimNameSet() {
 		assertThat(authentication.getName()).isEqualTo("100");
 	}
 
+	@Test
+	public void convertWhenPrincipalClaimNameSetAndClaimValueIsNotString() {
+		this.jwtAuthenticationConverter.setPrincipalClaimName("user_id");
+		Jwt jwt = TestJwts.jwt().claim("user_id", 100).build();
+		AbstractAuthenticationToken authentication = this.jwtAuthenticationConverter.convert(jwt);
+		assertThat(authentication.getName()).isEqualTo("100");
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@`
`36`	`36`	`*`
`37`	`37`	`* @author Josh Cummings`
`38`	`38`	`* @author Evgeniy Cheban`
	`39`	`+ * @author Olivier Antoine`
`39`	`40`	`*/`
`40`	`41`	`public class JwtAuthenticationConverterTests {`
`41`	`42`
`@@ -103,4 +104,12 @@ public void convertWhenPrincipalClaimNameSet() {`
`103`	`104`	`assertThat(authentication.getName()).isEqualTo("100");`
`104`	`105`	`}`
`105`	`106`
	`107`	`+ @Test`
	`108`	`+ public void convertWhenPrincipalClaimNameSetAndClaimValueIsNotString() {`
	`109`	`+ this.jwtAuthenticationConverter.setPrincipalClaimName("user_id");`
	`110`	`+ Jwt jwt = TestJwts.jwt().claim("user_id", 100).build();`
	`111`	`+ AbstractAuthenticationToken authentication = this.jwtAuthenticationConverter.convert(jwt);`
	`112`	`+ assertThat(authentication.getName()).isEqualTo("100");`
	`113`	`+ }`
	`114`	`+`
`106`	`115`	`}`