Improve null-safety of module/spring-boot-security-oauth2-resource-server

See gh-46926

Author: mhalbritter

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/reactive/ReactiveOAuth2ResourceServerJwkConfiguration.java

@@ -56,6 +56,7 @@
 import org.springframework.security.oauth2.server.resource.authentication.ReactiveJwtAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.authentication.ReactiveJwtGrantedAuthoritiesConverterAdapter;
 import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
 
 /**
@@ -91,8 +92,9 @@ static class JwtConfiguration {
 		@Bean
 		@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.jwt.jwk-set-uri")
 		ReactiveJwtDecoder jwtDecoder(ObjectProvider<JwkSetUriReactiveJwtDecoderBuilderCustomizer> customizers) {
-			JwkSetUriReactiveJwtDecoderBuilder builder = NimbusReactiveJwtDecoder
-				.withJwkSetUri(this.properties.getJwkSetUri())
+			String jwkSetUri = this.properties.getJwkSetUri();
+			Assert.state(jwkSetUri != null, "'jwkSetUri' must not be null");
+			JwkSetUriReactiveJwtDecoderBuilder builder = NimbusReactiveJwtDecoder.withJwkSetUri(jwkSetUri)
 				.jwsAlgorithms(this::jwsAlgorithms);
 			customizers.orderedStream().forEach((customizer) -> customizer.customize(builder));
 			NimbusReactiveJwtDecoder nimbusReactiveJwtDecoder = builder.build();
@@ -164,12 +166,12 @@ private String exactlyOneAlgorithm() {
 		SupplierReactiveJwtDecoder jwtDecoderByIssuerUri(
 				ObjectProvider<JwkSetUriReactiveJwtDecoderBuilderCustomizer> customizers) {
 			return new SupplierReactiveJwtDecoder(() -> {
-				JwkSetUriReactiveJwtDecoderBuilder builder = NimbusReactiveJwtDecoder
-					.withIssuerLocation(this.properties.getIssuerUri());
+				String issuerUri = this.properties.getIssuerUri();
+				Assert.state(issuerUri != null, "'issuerUri' must not be null");
+				JwkSetUriReactiveJwtDecoderBuilder builder = NimbusReactiveJwtDecoder.withIssuerLocation(issuerUri);
 				customizers.orderedStream().forEach((customizer) -> customizer.customize(builder));
 				NimbusReactiveJwtDecoder jwtDecoder = builder.build();
-				jwtDecoder.setJwtValidator(
-						getValidators(JwtValidators.createDefaultWithIssuer(this.properties.getIssuerUri())));
+				jwtDecoder.setJwtValidator(getValidators(JwtValidators.createDefaultWithIssuer(issuerUri)));
 				return jwtDecoder;
 			});
 		}

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/reactive/ReactiveOAuth2ResourceServerOpaqueTokenConfiguration.java

@@ -26,6 +26,7 @@
 import org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector;
 import org.springframework.security.oauth2.server.resource.introspection.SpringReactiveOpaqueTokenIntrospector;
 import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.util.Assert;
 
 import static org.springframework.security.config.Customizer.withDefaults;
 
@@ -46,9 +47,13 @@ static class OpaqueTokenIntrospectionClientConfiguration {
 		@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.opaquetoken.introspection-uri")
 		SpringReactiveOpaqueTokenIntrospector opaqueTokenIntrospector(OAuth2ResourceServerProperties properties) {
 			OAuth2ResourceServerProperties.Opaquetoken opaquetoken = properties.getOpaquetoken();
+			String clientId = opaquetoken.getClientId();
+			Assert.state(clientId != null, "'clientId' must not be null");
+			String clientSecret = opaquetoken.getClientSecret();
+			Assert.state(clientSecret != null, "'clientSecret' must not be null");
 			return SpringReactiveOpaqueTokenIntrospector.withIntrospectionUri(opaquetoken.getIntrospectionUri())
-				.clientId(opaquetoken.getClientId())
-				.clientSecret(opaquetoken.getClientSecret())
+				.clientId(clientId)
+				.clientSecret(clientSecret)
 				.build();
 		}
 

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/servlet/OAuth2ResourceServerJwtConfiguration.java

@@ -55,6 +55,7 @@
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
 
 import static org.springframework.security.config.Customizer.withDefaults;
@@ -163,6 +164,7 @@ private String exactlyOneAlgorithm() {
 		SupplierJwtDecoder jwtDecoderByIssuerUri(ObjectProvider<JwkSetUriJwtDecoderBuilderCustomizer> customizers) {
 			return new SupplierJwtDecoder(() -> {
 				String issuerUri = this.properties.getIssuerUri();
+				Assert.state(issuerUri != null, "'issuerUri' must not be null");
 				JwkSetUriJwtDecoderBuilder builder = NimbusJwtDecoder.withIssuerLocation(issuerUri);
 				customizers.orderedStream().forEach((customizer) -> customizer.customize(builder));
 				NimbusJwtDecoder jwtDecoder = builder.build();

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java

@@ -27,6 +27,7 @@
 import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
 import org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.util.Assert;
 
 import static org.springframework.security.config.Customizer.withDefaults;
 
@@ -48,9 +49,15 @@ static class OpaqueTokenIntrospectionClientConfiguration {
 		@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.opaquetoken.introspection-uri")
 		SpringOpaqueTokenIntrospector opaqueTokenIntrospector(OAuth2ResourceServerProperties properties) {
 			OAuth2ResourceServerProperties.Opaquetoken opaquetoken = properties.getOpaquetoken();
-			return SpringOpaqueTokenIntrospector.withIntrospectionUri(opaquetoken.getIntrospectionUri())
-				.clientId(opaquetoken.getClientId())
-				.clientSecret(opaquetoken.getClientSecret())
+			String introspectionUri = opaquetoken.getIntrospectionUri();
+			Assert.state(introspectionUri != null, "'introspectionUri' must not be null");
+			String clientId = opaquetoken.getClientId();
+			Assert.state(clientId != null, "'clientId' must not be null");
+			String clientSecret = opaquetoken.getClientSecret();
+			Assert.state(clientSecret != null, "'clientSecret' must not be null");
+			return SpringOpaqueTokenIntrospector.withIntrospectionUri(introspectionUri)
+				.clientId(clientId)
+				.clientSecret(clientSecret)
 				.build();
 		}