跳到主要内容
版本:7.0.2

OAuth 2.0 迁移

DeepSeek V3 中英对照 OAuth 2.0 OAuth 2.0 Migrations

使用 JwtTypeValidator 验证 typ 标头

如果在执行6.5版本的准备步骤时,您将 validateTypes 设置为 false,现在可以将其移除。您也可以从默认列表中显式移除 JwtTypeValidator

例如,将以下内容:

@Bean
JwtDecoder jwtDecoder() {
	NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
        .validateTypes(false) 1
        // ... your remaining configuration
        .build();
	jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithValidators(
		new JwtIssuerValidator(location), JwtTypeValidator.jwt())); 2
	return jwtDecoder;
}

  • 关闭 Nimbus 对 typ 的验证

  • 添加默认的 typ 验证器

对此:

@Bean
JwtDecoder jwtDecoder() {
	NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
        // ... your remaining configuration // <1>
        .build();
	jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(location)); 2
	return jwtDecoder;
}

  • validateTypes 现在默认设置为 false

  • 所有 createDefaultXXX 方法都会添加 JwtTypeValidator#jwt

为 BearerTokenAuthenticationFilter 提供 AuthenticationConverter

在 Spring Security 7 中,BearerTokenAuthenticationFilter#setBearerTokenResolver#setAuthenticaionDetailsSource 已被弃用,建议在 BearerTokenAuthenticationConverter 上进行配置。

oauth2ResourceServer DSL 能够处理大多数使用场景,您无需进行额外配置。

如果你直接在 BearerTokenAuthenticationFilter 上设置 BearerTokenResolverAuthenticationDetailsSource,类似于以下方式:

BearerTokenAuthenticationFilter filter = new BearerTokenAuthenticationFilter(authenticationManager);
filter.setBearerTokenResolver(myBearerTokenResolver);
filter.setAuthenticationDetailsSource(myAuthenticationDetailsSource);

建议使用 BearerTokenAuthenticationConverter 来同时指定:

BearerTokenAuthenticationConverter authenticationConverter =
    new BearerTokenAuthenticationConverter();
authenticationConverter.setBearerTokenResolver(myBearerTokenResolver);
authenticationConverter.setAuthenticationDetailsSource(myAuthenticationDetailsSource);
BearerTokenAuthenticationFilter filter = new BearerTokenAuthenticationFilter(authenticationManager, authenicationConverter);