Package org.springframework.security.config.annotation.web.configurers.oauth2.server.resource

Class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<H>>

java.lang.Object

org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>

org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<OAuth2ResourceServerConfigurer<H>,H>

org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer<H>

All Implemented Interfaces:

SecurityConfigurer<DefaultSecurityFilterChain,H>

public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<OAuth2ResourceServerConfigurer<H>,H>

An AbstractHttpConfigurer for OAuth 2.0 Resource Server Support. By default, this wires a BearerTokenAuthenticationFilter, which can be used to parse the request for bearer tokens and make an authentication attempt.

The following configuration options are available:

• accessDeniedHandler(AccessDeniedHandler)
- customizes how access denied errors are handled
• authenticationEntryPoint(AuthenticationEntryPoint)
- customizes how authentication failures are handled
• bearerTokenResolver(BearerTokenResolver) - customizes how to resolve a bearer token from the request
• jwt(Customizer) - enables Jwt-encoded bearer token support
• opaqueToken(Customizer) - enables opaque bearer token support

When using jwt(Customizer), either

• supply a Jwk Set Uri via OAuth2ResourceServerConfigurer.JwtConfigurer.jwkSetUri(java.lang.String), or
• supply a JwtDecoder instance via OAuth2ResourceServerConfigurer.JwtConfigurer.decoder, or
• expose a JwtDecoder bean

Also with jwt(Customizer) consider

• customizing the conversion from a Jwt to an Authentication with OAuth2ResourceServerConfigurer.JwtConfigurer.jwtAuthenticationConverter(Converter)

When using opaqueToken(Customizer), supply an introspection endpoint with its client credentials and an OpaqueTokenAuthenticationConverter

Security Filters

The following Filters are populated when jwt(Customizer) is configured:

• BearerTokenAuthenticationFilter

Shared Objects Created

The following shared objects are populated:

• SessionCreationPolicy (optional)

Shared Objects Used

The following shared objects are used:

• AuthenticationManager

Since:

5.1

See Also:

• BearerTokenAuthenticationFilter
• JwtAuthenticationProvider
• NimbusJwtDecoder
• AbstractHttpConfigurer

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
class	OAuth2ResourceServerConfigurer.JwtConfigurer
class	OAuth2ResourceServerConfigurer.OpaqueTokenConfigurer

Constructor Summary

Constructors

Constructor	Description
OAuth2ResourceServerConfigurer(org.springframework.context.ApplicationContext context)

Method Summary

Modifier and Type	Method	Description
OAuth2ResourceServerConfigurer<H>	accessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
OAuth2ResourceServerConfigurer<H>	authenticationEntryPoint(AuthenticationEntryPoint entryPoint)
OAuth2ResourceServerConfigurer<H>	authenticationManagerResolver(AuthenticationManagerResolver<jakarta.servlet.http.HttpServletRequest> authenticationManagerResolver)
OAuth2ResourceServerConfigurer<H>	bearerTokenResolver(BearerTokenResolver bearerTokenResolver)
void	configure(H http)	Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.
void	init(H http)	Initialize the SecurityBuilder.
OAuth2ResourceServerConfigurer<H>.JwtConfigurer	jwt()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
OAuth2ResourceServerConfigurer<H>	jwt(Customizer<OAuth2ResourceServerConfigurer<H>.JwtConfigurer> jwtCustomizer)	Enables Jwt-encoded bearer token support.
OAuth2ResourceServerConfigurer<H>.OpaqueTokenConfigurer	opaqueToken()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
OAuth2ResourceServerConfigurer<H>	opaqueToken(Customizer<OAuth2ResourceServerConfigurer<H>.OpaqueTokenConfigurer> opaqueTokenCustomizer)	Enables opaque bearer token support.

Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer

disable, getSecurityContextHolderStrategy, withObjectPostProcessor

Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter

addObjectPostProcessor, and, getBuilder, postProcess, setBuilder

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

OAuth2ResourceServerConfigurer

public OAuth2ResourceServerConfigurer(org.springframework.context.ApplicationContext context)

Method Details

accessDeniedHandler

public OAuth2ResourceServerConfigurer<H> accessDeniedHandler(AccessDeniedHandler accessDeniedHandler)

authenticationEntryPoint

public OAuth2ResourceServerConfigurer<H> authenticationEntryPoint(AuthenticationEntryPoint entryPoint)

authenticationManagerResolver

public OAuth2ResourceServerConfigurer<H> authenticationManagerResolver(AuthenticationManagerResolver<jakarta.servlet.http.HttpServletRequest> authenticationManagerResolver)

bearerTokenResolver

public OAuth2ResourceServerConfigurer<H> bearerTokenResolver(BearerTokenResolver bearerTokenResolver)

jwt

@Deprecated(since="6.1",
            forRemoval=true)
public OAuth2ResourceServerConfigurer<H>.JwtConfigurer jwt()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use jwt(Customizer) instead

jwt

public OAuth2ResourceServerConfigurer<H> jwt(Customizer<OAuth2ResourceServerConfigurer<H>.JwtConfigurer> jwtCustomizer)

Enables Jwt-encoded bearer token support.

Parameters:

jwtCustomizer - the Customizer to provide more options for the OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<H>>.JwtConfigurer

Returns:

the OAuth2ResourceServerConfigurer for further customizations

opaqueToken

@Deprecated(since="6.1",
            forRemoval=true)
public OAuth2ResourceServerConfigurer<H>.OpaqueTokenConfigurer opaqueToken()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use opaqueToken(Customizer) instead

opaqueToken

public OAuth2ResourceServerConfigurer<H> opaqueToken(Customizer<OAuth2ResourceServerConfigurer<H>.OpaqueTokenConfigurer> opaqueTokenCustomizer)

Enables opaque bearer token support.

Parameters:

opaqueTokenCustomizer - the Customizer to provide more options for the OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<H>>.OpaqueTokenConfigurer

Returns:

the OAuth2ResourceServerConfigurer for further customizations

init

public void init(H http)

Description copied from interface: SecurityConfigurer

Initialize the SecurityBuilder. Here only shared state should be created and modified, but not properties on the SecurityBuilder used for building the object. This ensures that the SecurityConfigurer.configure(SecurityBuilder) method uses the correct shared objects when building. Configurers should be applied here.

Specified by:

init in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

Overrides:

init in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

configure

public void configure(H http)

Description copied from interface: SecurityConfigurer

Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.

Specified by:

configure in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

Overrides:

configure in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>