Add Request AuthenticationManagerResolvers

Fixes gh-6762

Author: jzheaux

samples/boot/oauth2resourceserver-multitenancy/src/integration-test/java/sample/OAuth2ResourceServerApplicationITests.java

@@ -122,11 +122,12 @@ public void tenantTwoPerformWhenInsufficientlyScopedBearerTokenThenDeniesScopedM
 						containsString("Bearer error=\"insufficient_scope\"")));
 	}
 
-	@Test(expected = IllegalArgumentException.class)
+	@Test
 	public void invalidTenantPerformWhenValidBearerTokenThenThrowsException()
 			throws Exception {
 
-		this.mvc.perform(get("/tenantThree").with(bearerToken(this.tenantOneNoScopesToken)));
+		this.mvc.perform(get("/tenantThree").with(bearerToken(this.tenantOneNoScopesToken)))
+				.andExpect(status().isUnauthorized());
 	}
 
 	private static class BearerTokenRequestPostProcessor implements RequestPostProcessor {

samples/boot/oauth2resourceserver-multitenancy/src/main/java/sample/OAuth2ResourceServerSecurityConfiguration.java

@@ -15,9 +15,7 @@
  */
 package sample;
 
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Optional;
+import java.util.LinkedHashMap;
 import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.beans.factory.annotation.Value;
@@ -34,6 +32,9 @@
 import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider;
 import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector;
 import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
+import org.springframework.security.web.authentication.RequestMatchingAuthenticationManagerResolver;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 
 /**
  * @author Josh Cummings
@@ -71,16 +72,10 @@ protected void configure(HttpSecurity http) throws Exception {
 
 	@Bean
 	AuthenticationManagerResolver<HttpServletRequest> multitenantAuthenticationManager() {
-		Map<String, AuthenticationManager> authenticationManagers = new HashMap<>();
-		authenticationManagers.put("tenantOne", jwt());
-		authenticationManagers.put("tenantTwo", opaque());
-		return request -> {
-			String[] pathParts = request.getRequestURI().split("/");
-			String tenantId = pathParts.length > 0 ? pathParts[1] : null;
-			return Optional.ofNullable(tenantId)
-					.map(authenticationManagers::get)
-					.orElseThrow(() -> new IllegalArgumentException("unknown tenant"));
-		};
+		LinkedHashMap<RequestMatcher, AuthenticationManager> authenticationManagers = new LinkedHashMap<>();
+		authenticationManagers.put(new AntPathRequestMatcher("/tenantOne/**"), jwt());
+		authenticationManagers.put(new AntPathRequestMatcher("/tenantTwo/**"), opaque());
+		return new RequestMatchingAuthenticationManagerResolver(authenticationManagers);
 	}
 
 	AuthenticationManager jwt() {

web/src/main/java/org/springframework/security/web/authentication/RequestMatchingAuthenticationManagerResolver.java

@@ -0,0 +1,80 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.authentication;
+
+import java.util.LinkedHashMap;
+import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationManagerResolver;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.Assert;
+
+/**
+ * An {@link AuthenticationManagerResolver} that returns a {@link AuthenticationManager}
+ * instances based upon the type of {@link HttpServletRequest} passed into
+ * {@link #resolve(HttpServletRequest)}.
+ *
+ * @author Josh Cummings
+ * @since 5.2
+ */
+public class RequestMatchingAuthenticationManagerResolver
+		implements AuthenticationManagerResolver<HttpServletRequest> {
+
+	private final LinkedHashMap<RequestMatcher, AuthenticationManager> authenticationManagers;
+	private AuthenticationManager defaultAuthenticationManager = authentication -> {
+		throw new AuthenticationServiceException("Cannot authenticate " + authentication);
+	};
+
+	/**
+	 * Construct an {@link RequestMatchingAuthenticationManagerResolver}
+	 * based on the provided parameters
+	 *
+	 * @param authenticationManagers a {@link Map} of {@link RequestMatcher}/{@link AuthenticationManager} pairs
+	 */
+	public RequestMatchingAuthenticationManagerResolver
+			(LinkedHashMap<RequestMatcher, AuthenticationManager> authenticationManagers) {
+		Assert.notEmpty(authenticationManagers, "authenticationManagers cannot be empty");
+		this.authenticationManagers = authenticationManagers;
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public AuthenticationManager resolve(HttpServletRequest context) {
+		for (Map.Entry<RequestMatcher, AuthenticationManager> entry : this.authenticationManagers.entrySet()) {
+			if (entry.getKey().matches(context)) {
+				return entry.getValue();
+			}
+		}
+
+		return this.defaultAuthenticationManager;
+	}
+
+	/**
+	 * Set the default {@link AuthenticationManager} to use when a request does not match
+	 *
+	 * @param defaultAuthenticationManager the default {@link AuthenticationManager} to use
+	 */
+	public void setDefaultAuthenticationManager(AuthenticationManager defaultAuthenticationManager) {
+		Assert.notNull(defaultAuthenticationManager, "defaultAuthenticationManager cannot be null");
+		this.defaultAuthenticationManager = defaultAuthenticationManager;
+	}
+}

web/src/main/java/org/springframework/security/web/server/authentication/ServerWebExchangeMatchingReactiveAuthenticationManagerResolver.java

@@ -0,0 +1,107 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authentication;
+
+import java.util.List;
+
+import reactor.core.publisher.Flux;
+import reactor.core.publisher.Mono;
+
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.authentication.ReactiveAuthenticationManager;
+import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
+import org.springframework.util.Assert;
+import org.springframework.web.server.ServerWebExchange;
+
+/**
+ * A {@link ReactiveAuthenticationManagerResolver} that returns a {@link ReactiveAuthenticationManager}
+ * instances based upon the type of {@link ServerWebExchange} passed into
+ * {@link #resolve(ServerWebExchange)}.
+ *
+ * @author Josh Cummings
+ * @since 5.2
+ *
+ */
+public class ServerWebExchangeMatchingReactiveAuthenticationManagerResolver
+		implements ReactiveAuthenticationManagerResolver<ServerWebExchange> {
+
+	private final List<MatcherEntry> authenticationManagers;
+	private ReactiveAuthenticationManager defaultAuthenticationManager = authentication ->
+		Mono.error(new AuthenticationServiceException("Cannot authenticate " + authentication));
+
+	/**
+	 * Construct an {@link ServerWebExchangeMatchingReactiveAuthenticationManagerResolver}
+	 * based on the provided parameters
+	 *
+	 * @param authenticationManagers a {@link List} of
+	 * {@link ServerWebExchangeMatcher}/{@link ReactiveAuthenticationManager} pairs
+	 */
+	public ServerWebExchangeMatchingReactiveAuthenticationManagerResolver
+			(List<MatcherEntry> authenticationManagers) {
+
+		Assert.notNull(authenticationManagers, "authenticationManagers cannot be null");
+		this.authenticationManagers = authenticationManagers;
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public Mono<ReactiveAuthenticationManager> resolve(ServerWebExchange exchange) {
+		return Flux.fromIterable(this.authenticationManagers)
+				.filterWhen(entry -> isMatch(exchange, entry))
+				.next()
+				.map(MatcherEntry::getAuthenticationManager)
+				.defaultIfEmpty(this.defaultAuthenticationManager);
+	}
+
+	/**
+	 * Set the default {@link ReactiveAuthenticationManager} to use when a request does not match
+	 *
+	 * @param defaultAuthenticationManager the default {@link ReactiveAuthenticationManager} to use
+	 */
+	public void setDefaultAuthenticationManager(ReactiveAuthenticationManager defaultAuthenticationManager) {
+		Assert.notNull(defaultAuthenticationManager, "defaultAuthenticationManager cannot be null");
+		this.defaultAuthenticationManager = defaultAuthenticationManager;
+	}
+
+	public static class MatcherEntry {
+		private final ServerWebExchangeMatcher matcher;
+		private final ReactiveAuthenticationManager authenticationManager;
+
+		public MatcherEntry(ServerWebExchangeMatcher matcher,
+				ReactiveAuthenticationManager authenticationManager) {
+			this.matcher = matcher;
+			this.authenticationManager = authenticationManager;
+		}
+
+		public ServerWebExchangeMatcher getMatcher() {
+			return this.matcher;
+		}
+
+		public ReactiveAuthenticationManager getAuthenticationManager() {
+			return this.authenticationManager;
+		}
+	}
+
+	private Mono<Boolean> isMatch(ServerWebExchange exchange, MatcherEntry entry) {
+		ServerWebExchangeMatcher matcher = entry.getMatcher();
+		return matcher.matches(exchange)
+				.map(ServerWebExchangeMatcher.MatchResult::isMatch);
+	}
+}

web/src/test/java/org/springframework/security/web/authentication/RequestMatchingAuthenticationManagerResolverTests.java

@@ -0,0 +1,72 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.authentication;
+
+import java.util.LinkedHashMap;
+
+import org.junit.Test;
+
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
+import static org.mockito.Mockito.mock;
+
+/**
+ * Tests for {@link RequestMatchingAuthenticationManagerResolverTests}
+ *
+ * @author Josh Cummings
+ */
+public class RequestMatchingAuthenticationManagerResolverTests {
+	private AuthenticationManager one = mock(AuthenticationManager.class);
+	private AuthenticationManager two = mock(AuthenticationManager.class);
+
+	@Test
+	public void resolveWhenMatchesThenReturnsAuthenticationManager() {
+		LinkedHashMap<RequestMatcher, AuthenticationManager> authenticationManagers = new LinkedHashMap<>();
+		authenticationManagers.put(new AntPathRequestMatcher("/one/**"), this.one);
+		authenticationManagers.put(new AntPathRequestMatcher("/two/**"), this.two);
+		RequestMatchingAuthenticationManagerResolver resolver =
+				new RequestMatchingAuthenticationManagerResolver(authenticationManagers);
+
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/one/location");
+		request.setServletPath("/one/location");
+		assertThat(resolver.resolve(request)).isEqualTo(this.one);
+	}
+
+	@Test
+	public void resolveWhenDoesNotMatchThenReturnsDefaultAuthenticationManager() {
+		LinkedHashMap<RequestMatcher, AuthenticationManager> authenticationManagers = new LinkedHashMap<>();
+		authenticationManagers.put(new AntPathRequestMatcher("/one/**"), this.one);
+		authenticationManagers.put(new AntPathRequestMatcher("/two/**"), this.two);
+		RequestMatchingAuthenticationManagerResolver resolver =
+				new RequestMatchingAuthenticationManagerResolver(authenticationManagers);
+
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/wrong/location");
+		AuthenticationManager authenticationManager = resolver.resolve(request);
+
+		Authentication authentication = new TestingAuthenticationToken("principal", "creds");
+		assertThatCode(() -> authenticationManager.authenticate(authentication))
+				.isInstanceOf(AuthenticationServiceException.class);
+	}
+}

web/src/test/java/org/springframework/security/web/server/authentication/ServerWebExchangeMatchingReactiveAuthenticationManagerResolverTests.java

@@ -0,0 +1,79 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authentication;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.junit.Test;
+
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.authentication.ReactiveAuthenticationManager;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
+import static org.mockito.Mockito.mock;
+import static org.springframework.mock.web.server.MockServerWebExchange.from;
+
+/**
+ * Tests for {@link ServerWebExchangeMatchingReactiveAuthenticationManagerResolver}
+ *
+ * @author Josh Cummings
+ */
+public class ServerWebExchangeMatchingReactiveAuthenticationManagerResolverTests {
+	private ReactiveAuthenticationManager one = mock(ReactiveAuthenticationManager.class);
+	private ReactiveAuthenticationManager two = mock(ReactiveAuthenticationManager.class);
+
+	@Test
+	public void resolveWhenMatchesThenReturnsReactiveAuthenticationManager() {
+		List<ServerWebExchangeMatchingReactiveAuthenticationManagerResolver.MatcherEntry> authenticationManagers =
+				Arrays.asList(
+						new ServerWebExchangeMatchingReactiveAuthenticationManagerResolver.MatcherEntry
+								(new PathPatternParserServerWebExchangeMatcher("/one/**"), this.one),
+						new ServerWebExchangeMatchingReactiveAuthenticationManagerResolver.MatcherEntry
+								(new PathPatternParserServerWebExchangeMatcher("/two/**"), this.two));
+		ServerWebExchangeMatchingReactiveAuthenticationManagerResolver resolver =
+				new ServerWebExchangeMatchingReactiveAuthenticationManagerResolver(authenticationManagers);
+
+		MockServerHttpRequest request = MockServerHttpRequest.get("/one/location").build();
+		assertThat(resolver.resolve(from(request)).block()).isEqualTo(this.one);
+	}
+
+	@Test
+	public void resolveWhenDoesNotMatchThenReturnsDefaultReactiveAuthenticationManager() {
+		List<ServerWebExchangeMatchingReactiveAuthenticationManagerResolver.MatcherEntry> authenticationManagers =
+				Arrays.asList(
+						new ServerWebExchangeMatchingReactiveAuthenticationManagerResolver.MatcherEntry
+								(new PathPatternParserServerWebExchangeMatcher("/one/**"), this.one),
+						new ServerWebExchangeMatchingReactiveAuthenticationManagerResolver.MatcherEntry
+								(new PathPatternParserServerWebExchangeMatcher("/two/**"), this.two));
+		ServerWebExchangeMatchingReactiveAuthenticationManagerResolver resolver =
+				new ServerWebExchangeMatchingReactiveAuthenticationManagerResolver(authenticationManagers);
+
+		MockServerHttpRequest request = MockServerHttpRequest.get("/wrong/location").build();
+		ReactiveAuthenticationManager authenticationManager =
+				resolver.resolve(from(request)).block();
+
+		Authentication authentication = new TestingAuthenticationToken("principal", "creds");
+		assertThatCode(() -> authenticationManager.authenticate(authentication).block())
+				.isInstanceOf(AuthenticationServiceException.class);
+	}
+}