Added custom BearerTokenResolver to stop oauth2ResourceServer from evaluating requests with jwt token (API)

2025-10-30 16:37:52 +01:00 · 2025-10-30 16:37:52 +01:00 · 98e69164ed
commit 98e69164ed
parent a3563449c8
1 changed files with 27 additions and 0 deletions
--- a/src/main/java/de/avatic/lcc/config/SecurityConfig.java
+++ b/src/main/java/de/avatic/lcc/config/SecurityConfig.java
@ -4,6 +4,7 @@ import de.avatic.lcc.model.db.users.User;
 import de.avatic.lcc.repositories.users.GroupRepository;
 import de.avatic.lcc.repositories.users.UserRepository;
 import de.avatic.lcc.service.apps.JwtTokenService;
+import io.jsonwebtoken.Claims;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@ -27,6 +28,7 @@ import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
+import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
 import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
@ -76,6 +78,7 @@ public class SecurityConfig {
                        .defaultSuccessUrl("/", true)
                )
                .oauth2ResourceServer(oauth2 -> oauth2
+                        .bearerTokenResolver(bearerTokenResolver(jwtTokenService))
                        .jwt(jwt -> jwt
                                .jwtAuthenticationConverter(jwtAuthenticationConverter())
                        )
@ -280,6 +283,30 @@ public class SecurityConfig {

    }

+    @Bean
+    @Profile("!dev & !test")
+    public BearerTokenResolver bearerTokenResolver(JwtTokenService jwtTokenService) {
+        return request -> {
+            String authHeader = request.getHeader("Authorization");
+            if (authHeader != null && authHeader.startsWith("Bearer ")) {
+                String token = authHeader.substring(7);
+
+                try {
+                    Claims claims = jwtTokenService.validateToken(token);
+                    String tokenType = claims.get("token_type", String.class);
+                    if ("ext_app".equals(tokenType)) {
+                        return null; // SelfIssuedJwtFilter behandelt es
+                    }
+                } catch (Exception e) {
+                    // Kein selbst ausgestelltes Token, weiter zur OAuth2 Validierung
+                }
+
+                return token;
+            }
+            return null;
+        };
+    }
+
    public static final class LccCsrfTokenRequestHandler extends CsrfTokenRequestAttributeHandler {
        private final CsrfTokenRequestHandler delegate = new CsrfTokenRequestAttributeHandler();