Bearer WebClient Filter Authentication Propagation

Fixes: gh-7418

Author: jzheaux

config/spring-security-config.gradle

@@ -35,6 +35,7 @@ dependencies {
 	testCompile project(':spring-security-test')
 	testCompile project(path : ':spring-security-core', configuration : 'tests')
 	testCompile project(path : ':spring-security-oauth2-client', configuration : 'tests')
+	testCompile project(path : ':spring-security-oauth2-resource-server', configuration : 'tests')
 	testCompile project(path : ':spring-security-web', configuration : 'tests')
 	testCompile apachedsDependencies
 	testCompile powerMock2Dependencies

config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ImportSelector.java

@@ -15,27 +15,40 @@
  */
 package org.springframework.security.config.annotation.web.configuration;
 
+import java.util.ArrayList;
+import java.util.List;
+
 import org.springframework.context.annotation.ImportSelector;
 import org.springframework.core.type.AnnotationMetadata;
 import org.springframework.util.ClassUtils;
 
 /**
  * Used by {@link EnableWebSecurity} to conditionally import {@link OAuth2ClientConfiguration}
- * when the {@code spring-security-oauth2-client} module is present on the classpath.
-
+ * when the {@code spring-security-oauth2-client} module is present on the classpath and
+ * {@link OAuth2ResourceServerConfiguration} when the {@code spring-security-oauth2-resource-server}
+ * module is on the classpath.
+ *
  * @author Joe Grandja
+ * @author Josh Cummings
  * @since 5.1
  * @see OAuth2ClientConfiguration
  */
 final class OAuth2ImportSelector implements ImportSelector {
 
 	@Override
 	public String[] selectImports(AnnotationMetadata importingClassMetadata) {
-		boolean oauth2ClientPresent = ClassUtils.isPresent(
-			"org.springframework.security.oauth2.client.registration.ClientRegistration", getClass().getClassLoader());
+		List<String> imports = new ArrayList<>();
+
+		if (ClassUtils.isPresent(
+			"org.springframework.security.oauth2.client.registration.ClientRegistration", getClass().getClassLoader())) {
+			imports.add("org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration");
+		}
+
+		if (ClassUtils.isPresent(
+			"org.springframework.security.oauth2.server.resource.BearerTokenError", getClass().getClassLoader())) {
+			imports.add("org.springframework.security.config.annotation.web.configuration.OAuth2ResourceServerConfiguration");
+		}
 
-		return oauth2ClientPresent ?
-			new String[] { "org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration" } :
-			new String[] {};
+		return imports.toArray(new String[0]);
 	}
 }

config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ResourceServerConfiguration.java

@@ -0,0 +1,137 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.configuration;
+
+import org.reactivestreams.Subscription;
+import reactor.core.CoreSubscriber;
+import reactor.core.publisher.Hooks;
+import reactor.core.publisher.Operators;
+import reactor.util.context.Context;
+
+import org.springframework.beans.factory.DisposableBean;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.context.annotation.ImportSelector;
+import org.springframework.core.type.AnnotationMetadata;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.util.ClassUtils;
+
+/**
+ * {@link Configuration} for OAuth 2.0 Resource Server support.
+ *
+ * <p>
+ * This {@code Configuration} is conditionally imported by {@link OAuth2ImportSelector}
+ * when the {@code spring-security-oauth2-resource-server} module is present on the classpath.
+ *
+ * @author Josh Cummings
+ * @since 5.2
+ * @see OAuth2ImportSelector
+ */
+@Import(OAuth2ResourceServerConfiguration.OAuth2ClientWebFluxImportSelector.class)
+final class OAuth2ResourceServerConfiguration {
+
+	static class OAuth2ClientWebFluxImportSelector implements ImportSelector {
+
+		@Override
+		public String[] selectImports(AnnotationMetadata importingClassMetadata) {
+			boolean webfluxPresent = ClassUtils.isPresent(
+					"org.springframework.web.reactive.function.client.WebClient", getClass().getClassLoader());
+
+			return webfluxPresent ?
+					new String[] { "org.springframework.security.config.annotation.web.configuration.OAuth2ResourceServerConfiguration.OAuth2ResourceServerWebFluxSecurityConfiguration" } :
+					new String[] {};
+		}
+	}
+
+	@Configuration(proxyBeanMethods = false)
+	static class OAuth2ResourceServerWebFluxSecurityConfiguration {
+		@Bean
+		BearerRequestContextSubscriberRegistrar bearerRequestContextSubscriberRegistrar() {
+			return new BearerRequestContextSubscriberRegistrar();
+		}
+
+		static class BearerRequestContextSubscriberRegistrar
+				implements InitializingBean, DisposableBean {
+
+			private static final String REQUEST_CONTEXT_OPERATOR_KEY = BearerRequestContextSubscriber.class.getName();
+
+			@Override
+			public void afterPropertiesSet() throws Exception {
+				Hooks.onLastOperator(REQUEST_CONTEXT_OPERATOR_KEY,
+						Operators.liftPublisher((s, sub) -> createRequestContextSubscriber(sub)));
+			}
+
+			@Override
+			public void destroy() throws Exception {
+				Hooks.resetOnLastOperator(REQUEST_CONTEXT_OPERATOR_KEY);
+			}
+
+			private <T> CoreSubscriber<T> createRequestContextSubscriber(CoreSubscriber<T> delegate) {
+				Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+				return new BearerRequestContextSubscriber<>(delegate, authentication);
+			}
+
+			static class BearerRequestContextSubscriber<T> implements CoreSubscriber<T> {
+				private CoreSubscriber<T> delegate;
+				private final Context context;
+
+				private BearerRequestContextSubscriber(CoreSubscriber<T> delegate,
+						Authentication authentication) {
+
+					this.delegate = delegate;
+					Context parentContext = this.delegate.currentContext();
+					Context context;
+					if (authentication == null || parentContext.hasKey(Authentication.class)) {
+						context = parentContext;
+					} else {
+						context = parentContext.put(Authentication.class, authentication);
+					}
+
+					this.context = context;
+				}
+
+				@Override
+				public Context currentContext() {
+					return this.context;
+				}
+
+				@Override
+				public void onSubscribe(Subscription s) {
+					this.delegate.onSubscribe(s);
+				}
+
+				@Override
+				public void onNext(T t) {
+					this.delegate.onNext(t);
+				}
+
+				@Override
+				public void onError(Throwable t) {
+					this.delegate.onError(t);
+				}
+
+				@Override
+				public void onComplete() {
+					this.delegate.onComplete();
+				}
+			}
+		}
+	}
+}

config/src/test/java/org/springframework/security/config/annotation/web/configuration/OAuth2ResourceServerConfigurationTests.java

@@ -0,0 +1,91 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.web.configuration;
+
+import java.net.URI;
+
+import org.junit.Rule;
+import org.junit.Test;
+import reactor.core.publisher.Flux;
+import reactor.core.scheduler.Schedulers;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.test.SpringTestRule;
+import org.springframework.security.oauth2.client.web.reactive.function.client.MockExchangeFunction;
+import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
+import org.springframework.security.oauth2.server.resource.web.reactive.function.client.ServletBearerExchangeFilterFunction;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.reactive.function.client.ClientRequest;
+
+import static org.springframework.http.HttpHeaders.AUTHORIZATION;
+import static org.springframework.http.HttpMethod.GET;
+import static org.springframework.security.oauth2.server.resource.authentication.TestBearerTokenAuthentications.bearer;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ * Tests for {@link OAuth2ResourceServerConfiguration}.
+ *
+ * @author Josh Cummings
+ */
+public class OAuth2ResourceServerConfigurationTests {
+	@Rule
+	public final SpringTestRule spring = new SpringTestRule();
+
+	@Autowired
+	private MockMvc mockMvc;
+
+	// gh-7418
+	@Test
+	public void requestWhenAuthenticatedThenBearerTokenPropagated() throws Exception {
+		BearerTokenAuthentication authentication = bearer();
+		this.spring.register(BearerWebClientConfig.class).autowire();
+
+		this.mockMvc.perform(get("/token")
+				.with(authentication(authentication)))
+				.andExpect(status().isOk())
+				.andExpect(content().string("Bearer token"));
+	}
+
+
+	@EnableWebSecurity
+	static class BearerWebClientConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+		}
+
+		@RestController
+		public class Controller {
+
+			@GetMapping("/token")
+			public String message() {
+				ServletBearerExchangeFilterFunction bearer = new ServletBearerExchangeFilterFunction();
+				ClientRequest request =
+						ClientRequest.create(GET, URI.create("https://example.org")).build();
+				MockExchangeFunction exchange = new MockExchangeFunction();
+				Flux.concat(bearer.filter(request, exchange))
+					.subscribeOn(Schedulers.elastic())
+					.collectList().block();
+				return exchange.getRequest().headers().getFirst(AUTHORIZATION);
+			}
+		}
+	}
+}

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/reactive/function/client/ServletBearerExchangeFilterFunction.java

@@ -17,9 +17,9 @@
 package org.springframework.security.oauth2.server.resource.web.reactive.function.client;
 
 import reactor.core.publisher.Mono;
+import reactor.util.context.Context;
 
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.core.AbstractOAuth2Token;
 import org.springframework.web.reactive.function.client.ClientRequest;
 import org.springframework.web.reactive.function.client.ClientResponse;
@@ -61,14 +61,16 @@ public Mono<ClientResponse> filter(ClientRequest request, ExchangeFunction next)
 	}
 
 	private Mono<AbstractOAuth2Token> oauth2Token() {
-		return currentAuthentication()
+		return Mono.subscriberContext()
+				.flatMap(this::currentAuthentication)
 				.filter(authentication -> authentication.getCredentials() instanceof AbstractOAuth2Token)
 				.map(Authentication::getCredentials)
 				.cast(AbstractOAuth2Token.class);
 	}
 
-	private Mono<Authentication> currentAuthentication() {
-		return Mono.justOrEmpty(SecurityContextHolder.getContext().getAuthentication());
+	private Mono<Authentication> currentAuthentication(Context ctx) {
+		Authentication authentication = ctx.getOrDefault(Authentication.class, null);
+		return Mono.justOrEmpty(authentication);
 	}
 
 	private ClientRequest bearer(ClientRequest request, AbstractOAuth2Token token) {

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/TestBearerTokenAuthentications.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.resource.authentication;
+
+import java.time.Instant;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
+
+/**
+ * Test instances of {@link BearerTokenAuthentication}
+ *
+ * @author Josh Cummings
+ */
+public class TestBearerTokenAuthentications {
+	public static BearerTokenAuthentication bearer() {
+		Collection<GrantedAuthority> authorities =
+				AuthorityUtils.createAuthorityList("SCOPE_USER");
+		OAuth2AuthenticatedPrincipal principal =
+				new DefaultOAuth2AuthenticatedPrincipal(
+						Collections.singletonMap("sub", "user"),
+						authorities);
+		OAuth2AccessToken token =
+				new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
+						"token", Instant.now(), Instant.now().plusSeconds(86400),
+						new HashSet<>(Arrays.asList("USER")));
+
+		return new BearerTokenAuthentication(principal, token, authorities);
+	}
+}