Spring Boot + spring-security-oauth2-resource-server should not throw a ClassNotFoundException once it supports more than one token format

[jzheaux]

While it's true that Resource Server effectively requires spring-security-oauth2-jose at this point, it shouldn't once it supports more than one token format.

When spring-boot-starter-security and spring-security-oauth2-resource-server are used together, without further configuration, the application throws the following exception:

Caused by: java.lang.ClassNotFoundException: org.springframework.security.oauth2.jwt.JwtDecoder
    at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
    ... 111 more

In all likelihood, this will be taken care of naturally when coordinating with the boot team to add support for a second token format.

[rwinch]

@jzheaux There is a spring-boot-starter-oauth2-resource-server that should resolve this. There is a ticket for adding it to start.spring.io

[jzheaux]

Thanks for the tip, @rwinch, about the starter. Agreed that including the starter is simpler, especially since spring-security-oauth2-jose is effectively required right now, even though resource server lists it as an optional dependency.

Are you thinking that its okay to throw a ClassNotFoundException when a user uses spring-boot-starter-security and spring-security-oauth2-resource-server (instead of the starter you mentioned)? I think it's okay for now since resource server only supports JWT. But once resource server supports more than one token format, I think this exception would confuse users.

I re-titled the issue for clarity, but I think it's kind of gangly. Suggestions welcome.

[rwinch]

It seems like that would be the case. Won't that naturally sort itself out or is this just to ensure we validate that?

[jzheaux]

This is just to ensure we validate that. Agreed that it should naturally sort itself out.

[edeandrea]

The Spring Boot team is doing a check on their side as well (see spring-projects/spring-boot#15372).