Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ProviderManager should have a varargs constructor #7713

Closed
jzheaux opened this issue Dec 9, 2019 · 5 comments · Fixed by #7806
Closed

ProviderManager should have a varargs constructor #7713

jzheaux opened this issue Dec 9, 2019 · 5 comments · Fixed by #7806
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Milestone
5.3.0.RC1

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Dec 9, 2019

oauth2ResourceServer() introduces a couple of authenticationManager() methods for complete control over the authentication mechanism:

http
    .oauth2ResourceServer()
        .jwt()
            .authenticationManager(...)

This can be leveraged to construct a custom JwtAuthenticationProvider:

AuthenticationProvider jwt = new JwtAuthenticationProvider(... ;

http
    .oauth2ResourceServer()
        .jwt()
            .authenticationManager(jwt::authenticate)

However, the method reference shortcut may seem a bit terse for some tastes.

As an alternative, code can construct an instance of ProviderManager:

AuthenticationProvider jwt = new JwtAuthenticationProvider(... ;

http
    .oauth2ResourceServer()
        .jwt()
            .authenticationManager(new ProviderManager(Arrays.asList(jwt)))

This could be improved by adding a varargs constructor to ProviderManager:

AuthenticationProvider jwt = new JwtAuthenticationProvider(... ;

http
    .oauth2ResourceServer()
        .jwt()
            .authenticationManager(new ProviderManager(jwt))
@jzheaux jzheaux added in: core An issue in spring-security-core type: enhancement A general enhancement status: ideal-for-contribution An issue that we actively are looking for someone to help us with labels Dec 9, 2019
@ThomasVitale
Copy link
Contributor

Hi @jzheaux, I would like to work on this issue.

@jzheaux
Copy link
Contributor Author

jzheaux commented Dec 17, 2019

@ThomasVitale it's yours

@jzheaux jzheaux removed the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label Dec 17, 2019
@jzheaux jzheaux self-assigned this Dec 17, 2019
@ThomasVitale
Copy link
Contributor

@jzheaux do you have any recommendation to handle the ambiguity when passing null to the constructor? Would it be ok to force a Collections.emptyList() argument instead of null in case of no AuthenticationProviders passed to the ProviderManager? What about backward compatibility?

@jzheaux
Copy link
Contributor Author

jzheaux commented Dec 30, 2019

@ThomasVitale good question

new ProviderManager(null)

is not a supported use of that class, so I don't think there's much to worry about in the way of disambiguation. That is, if folks are doing that for some reason, they are on their own to make it work as they upgrade.

That said, we ought to continue to correctly error when null values are provided, so you might consider adding something like:

if (providers.contains(null)) {
	throw new IllegalArgumentException(
			"providers cannot contain null values");
}

To the checkState() method.

Would it be ok to force a Collections.emptyList()

Probably not. Spring Security prefers to throw an exception in misconfiguration scenarios instead of trying to leniently interpret the code's intent.

@ThomasVitale ThomasVitale mentioned this issue Jan 10, 2020
Merged
@ThomasVitale
Copy link
Contributor

@jzheaux thanks for your answer, it solved my doubts.

I have just created a PR. I have added the varargs constructor and updated the tests to use it, both to actually test the constructor and also to improve their readability.

The test checking the exception thrown when a null value was passed to the constructor is now using an empty collection to trigger the validation, making sure the exception is correctly thrown. I haven't added extra validation since it was already covered.

jzheaux pushed a commit that referenced this issue Jan 30, 2020
@ThomasVitale @jzheaux
ProviderManager should have a varargs constructor
5ce6002 
- Added varargs constructor to ProviderManager.
- Added check for null values in AuthenticationProvider list.
- Updated ProviderManagerTests to test for null values using both constructors.

Fixes gh-7713
jzheaux added a commit that referenced this issue Jan 30, 2020
@jzheaux
Polish ProviderManager
d22b476 
Updated copyright date range and adjusted constructor order to better
match DelegatingReactiveAuthenticationManager

Fixes gh-7713
@jzheaux jzheaux added this to the 5.3.0.RC1 milestone Feb 5, 2020
@yukihane yukihane mentioned this issue Jun 13, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
None yet
Milestone
5.3.0.RC1
Development

Successfully merging a pull request may close this issue.

ProviderManager should have a varargs constructor ThomasVitale/spring-security
2 participants
@jzheaux @ThomasVitale