When an application injects a JWTProcessor into NimbusJwtDecoder:
ConfigurableJWTProcessor<SecurityContext> jwtProcessor = ...;
NimbusJwtDecoder decoder = new NimbusJwtDecoder(jwtProcessor);
it's evident that the application knows what it's doing and what types of JWTs it cares to accept.
Additionally, JWTProcessor does its own type checking, disallowing plain JWTs, and erroring if there isn't sufficient configuration for an incoming SignedJWT or EncryptedJWT to be processed.
Because JWTProcessor already tests these scenarios, there is little gained from NimbusJwtDecoder adding its own checks before delegating.
NimbusJwtDecoder should change from:
if (token instanceof SignedJWT) {
// ... process the token
}
throw exception;to
if (token instanceof PlainJWT) {
throw exception;
}
// ... process the tokenAnd likewise for NimbusReactiveJwtDecoder.
Note that Nimbus does check on its own for a signature of "none", but due to #5457, Spring Security should keep checking for PlainJWTs.
When an application injects a
JWTProcessorintoNimbusJwtDecoder:it's evident that the application knows what it's doing and what types of JWTs it cares to accept.
Additionally,
JWTProcessordoes its own type checking, disallowing plain JWTs, and erroring if there isn't sufficient configuration for an incomingSignedJWTorEncryptedJWTto be processed.Because
JWTProcessoralready tests these scenarios, there is little gained fromNimbusJwtDecoderadding its own checks before delegating.NimbusJwtDecodershould change from:to
And likewise for
NimbusReactiveJwtDecoder.Note that Nimbus does check on its own for a signature of "none", but due to #5457, Spring Security should keep checking for
PlainJWTs.