spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Make X509CertificateThumbprintValidator to be public and non-final class

Open edmundham opened this issue 7 months ago • 0 comments

gh-17131

Make X509CertificateThumbprintValidator to be public and non-final class

With the current package visibility and final class, it is not usable with JwtValidators#createDefaultWithValidators. JwtValidators#createDefaultWithValidators is following, as of v6.4.6:

	public static OAuth2TokenValidator<Jwt> createDefaultWithValidators(List<OAuth2TokenValidator<Jwt>> validators) {
		Assert.notEmpty(validators, "validators cannot be null or empty");
		List<OAuth2TokenValidator<Jwt>> tokenValidators = new ArrayList<>(validators);
		X509CertificateThumbprintValidator x509CertificateThumbprintValidator = CollectionUtils
			.findValueOfType(tokenValidators, X509CertificateThumbprintValidator.class);
		if (x509CertificateThumbprintValidator == null) {
			tokenValidators.add(0, new X509CertificateThumbprintValidator(
					X509CertificateThumbprintValidator.DEFAULT_X509_CERTIFICATE_SUPPLIER));
		}
		JwtTimestampValidator jwtTimestampValidator = CollectionUtils.findValueOfType(tokenValidators,
				JwtTimestampValidator.class);
		if (jwtTimestampValidator == null) {
			tokenValidators.add(0, new JwtTimestampValidator());
		}
		return new DelegatingOAuth2TokenValidator<>(tokenValidators);
	}

By looking at this, I could understand the purpose is for consumer to have their own implementation of X509CertificateThumbprintValidator. However, currently that is not possible. This PR is to let consumers customize or build their own implementation of X509CertificateThumbprintValidator and keep using other default validators provided by Spring Security.

edmundham avatar May 28 '25 04:05 edmundham