此版本仍在开发中,尚不被认为是稳定的。对于最新的稳定版本,请使用 Spring Security 6.5.3spring-doc.cadn.net.cn

OAuth 2.0 迁移

驗證typ标题与JwtTypeValidator

如果按照您设置的 6.5 准备步骤validateTypesfalse,您现在可以删除它。您还可以删除显式添加JwtTypeValidator到默认列表。spring-doc.cadn.net.cn

例如,更改以下内容:spring-doc.cadn.net.cn

@Bean
JwtDecoder jwtDecoder() {
	NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
        .validateTypes(false) (1)
        // ... your remaining configuration
        .build();
	jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithValidators(
		new JwtIssuerValidator(location), JwtTypeValidator.jwt())); (2)
	return jwtDecoder;
}
@Bean
fun jwtDecoder(): JwtDecoder {
    val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
        .validateTypes(false) (1)
        // ... your remaining configuration
        .build()
    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithValidators(
        JwtIssuerValidator(location), JwtTypeValidator.jwt())) (2)
    return jwtDecoder
}
1 - 关闭 Nimbus 验证typ
2 - 添加默认值typ验证者

到这个:spring-doc.cadn.net.cn

@Bean
JwtDecoder jwtDecoder() {
	NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
        // ... your remaining configuration (1)
        .build();
	jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(location)); (2)
	return jwtDecoder;
}
@Bean
fun jwtDecoder(): JwtDecoder {
    val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
        // ... your remaining configuration
        .build()
    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(location)) (2)
    return jwtDecoder
}
1 - validateTypes现在默认为false
2 - JwtTypeValidator#jwt由所有createDefaultXXX方法

为 BearerTokenAuthenticationFilter 提供 AuthenticationConverter

在 Spring Security 7 中,BearerTokenAuthenticationFilter#setBearerTokenResolver#setAuthenticaionDetailsSource已弃用,转而将这些配置为BearerTokenAuthenticationConverter.spring-doc.cadn.net.cn

oauth2ResourceServerDSL 解决了大多数用例,您不需要任何事情。spring-doc.cadn.net.cn

如果您要设置BearerTokenResolverAuthenticationDetailsSource直接在BearerTokenAuthenticationFilter类似于以下内容:spring-doc.cadn.net.cn

BearerTokenAuthenticationFilter filter = new BearerTokenAuthenticationFilter(authenticationManager);
filter.setBearerTokenResolver(myBearerTokenResolver);
filter.setAuthenticationDetailsSource(myAuthenticationDetailsSource);
val filter = BearerTokenAuthenticationFilter(authenticationManager)
filter.setBearerTokenResolver(myBearerTokenResolver)
filter.setAuthenticationDetailsSource(myAuthenticationDetailsSource)

鼓励您使用BearerTokenAuthenticationConverter要同时指定以下内容:spring-doc.cadn.net.cn

BearerTokenAuthenticationConverter authenticationConverter =
    new BearerTokenAuthenticationConverter();
authenticationConverter.setBearerTokenResolver(myBearerTokenResolver);
authenticationConverter.setAuthenticationDetailsSource(myAuthenticationDetailsSource);
BearerTokenAuthenticationFilter filter = new BearerTokenAuthenticationFilter(authenticationManager, authenicationConverter);
val authenticationConverter = BearerTokenAuthenticationConverter()
authenticationConverter.setBearerTokenResolver(myBearerTokenResolver)
authenticationConverter.setAuthenticationDetailsSource(myAuthenticationDetailsSource)
val filter = BearerTokenAuthenticationFilter(authenticationManager, authenticationConverter)