public final class JwtIssuerAuthenticationManagerResolver
extends java.lang.Object
implements org.springframework.security.authentication.AuthenticationManagerResolver<javax.servlet.http.HttpServletRequest>
AuthenticationManagerResolver that resolves a JWT-based AuthenticationManager
based on the Issuer in a
signed JWT (JWS).
To use, this class must be able to determine whether or not the `iss` claim is trusted. Recall that
anyone can stand up an authorization server and issue valid tokens to a resource server. The simplest way
to achieve this is to supply a whitelist of trusted issuers in the constructor.
This class derives the Issuer from the `iss` claim found in the HttpServletRequest's
Bearer Token.| Constructor and Description |
|---|
JwtIssuerAuthenticationManagerResolver(org.springframework.security.authentication.AuthenticationManagerResolver<java.lang.String> issuerAuthenticationManagerResolver)
Construct a
JwtIssuerAuthenticationManagerResolver using the provided parameters
Note that the AuthenticationManagerResolver provided in this constructor will need to
verify that the issuer is trusted. |
JwtIssuerAuthenticationManagerResolver(java.util.Collection<java.lang.String> trustedIssuers)
Construct a
JwtIssuerAuthenticationManagerResolver using the provided parameters |
JwtIssuerAuthenticationManagerResolver(java.lang.String... trustedIssuers)
Construct a
JwtIssuerAuthenticationManagerResolver using the provided parameters |
| Modifier and Type | Method and Description |
|---|---|
org.springframework.security.authentication.AuthenticationManager |
resolve(javax.servlet.http.HttpServletRequest request)
Return an
AuthenticationManager based off of the `iss` claim found in the request's bearer token |
public JwtIssuerAuthenticationManagerResolver(java.lang.String... trustedIssuers)
JwtIssuerAuthenticationManagerResolver using the provided parameterstrustedIssuers - a whitelist of trusted issuerspublic JwtIssuerAuthenticationManagerResolver(java.util.Collection<java.lang.String> trustedIssuers)
JwtIssuerAuthenticationManagerResolver using the provided parameterstrustedIssuers - a whitelist of trusted issuerspublic JwtIssuerAuthenticationManagerResolver(org.springframework.security.authentication.AuthenticationManagerResolver<java.lang.String> issuerAuthenticationManagerResolver)
JwtIssuerAuthenticationManagerResolver using the provided parameters
Note that the AuthenticationManagerResolver provided in this constructor will need to
verify that the issuer is trusted. This should be done via a whitelist.
One way to achieve this is with a Map where the keys are the known issuers:
Map<String, AuthenticationManager> authenticationManagers = new HashMap<>();
authenticationManagers.put("https://issuerOne.example.org", managerOne);
authenticationManagers.put("https://issuerTwo.example.org", managerTwo);
JwtAuthenticationManagerResolver resolver = new JwtAuthenticationManagerResolver
(authenticationManagers::get);
The keys in the Map are the whitelist.issuerAuthenticationManagerResolver - a strategy for resolving the AuthenticationManager by the issuerpublic org.springframework.security.authentication.AuthenticationManager resolve(javax.servlet.http.HttpServletRequest request)
AuthenticationManager based off of the `iss` claim found in the request's bearer tokenresolve in interface org.springframework.security.authentication.AuthenticationManagerResolver<javax.servlet.http.HttpServletRequest>org.springframework.security.oauth2.core.OAuth2AuthenticationException - if the bearer token is malformed or an AuthenticationManager
can't be derived from the issuer