Allow configuring the header name that carries the JWT, and optionally specify a prefix for its value.

Author: ja-openai

webapp/src/main/java/com/box/l10n/mojito/security/SecurityConfig.java

@@ -34,6 +34,8 @@ public class SecurityConfig {
 
   Map<String, OAuth2> oAuth2 = new HashMap<>();
 
+  Jwt jwt;
+
   public List<AuthenticationType> getAuthenticationType() {
     return authenticationType;
   }
@@ -58,6 +60,14 @@ public void setoAuth2(Map<String, OAuth2> oAuth2) {
     this.oAuth2 = oAuth2;
   }
 
+  public Jwt getJwt() {
+    return jwt;
+  }
+
+  public void setJwt(Jwt jwt) {
+    this.jwt = jwt;
+  }
+
   /** Types of authentication available */
   public enum AuthenticationType {
     LDAP,
@@ -136,4 +146,29 @@ public void setUsernameFromEmail(boolean usernameFromEmail) {
       this.usernameFromEmail = usernameFromEmail;
     }
   }
+
+  public static class Jwt {
+
+    /** Optional alternate header that carries the access token when not using Authorization. */
+    String tokenHeaderName;
+
+    /** Optional prefix (e.g. "Bearer") stripped from the configured token header value. */
+    String tokenHeaderPrefix;
+
+    public String getTokenHeaderName() {
+      return tokenHeaderName;
+    }
+
+    public void setTokenHeaderName(String tokenHeaderName) {
+      this.tokenHeaderName = tokenHeaderName;
+    }
+
+    public String getTokenHeaderPrefix() {
+      return tokenHeaderPrefix;
+    }
+
+    public void setTokenHeaderPrefix(String tokenHeaderPrefix) {
+      this.tokenHeaderPrefix = tokenHeaderPrefix;
+    }
+  }
 }

webapp/src/main/java/com/box/l10n/mojito/security/WebSecurityJWTConfig.java

@@ -4,6 +4,7 @@
 import com.box.l10n.mojito.entity.security.user.User;
 import com.box.l10n.mojito.service.security.user.UserService;
 import jakarta.annotation.PostConstruct;
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
 import java.util.List;
 import org.slf4j.Logger;
@@ -20,6 +21,7 @@
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.util.StringUtils;
 
@@ -33,14 +35,20 @@ public class WebSecurityJWTConfig {
 
   UserService userService;
 
+  SecurityConfig securityConfig;
+
   @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri:}")
   String issuerUri;
 
   @Value("${spring.security.oauth2.resourceserver.jwt.audience:}")
   String audience;
 
-  public WebSecurityJWTConfig(UserService userService) {
+  private final DefaultBearerTokenResolver defaultBearerTokenResolver;
+
+  public WebSecurityJWTConfig(UserService userService, SecurityConfig securityConfig) {
     this.userService = userService;
+    this.securityConfig = securityConfig;
+    this.defaultBearerTokenResolver = new DefaultBearerTokenResolver();
   }
 
   @PostConstruct
@@ -59,17 +67,15 @@ public void validateStatelessConfig() {
   @Order(2)
   SecurityFilterChain security(HttpSecurity http) throws Exception {
 
-    http.securityMatcher(
-        req -> {
-          String h = req.getHeader("Authorization");
-          return h != null && h.startsWith("Bearer ");
-        });
+    http.securityMatcher(req -> StringUtils.hasText(resolveAccessToken(req)));
 
     applyStatelessSharedConfig(http);
 
     http.oauth2ResourceServer(
         oauth ->
-            oauth.jwt(
+            oauth
+                .bearerTokenResolver(this::resolveAccessToken)
+                .jwt(
                 jwtConfigurer -> {
                   jwtConfigurer.jwtAuthenticationConverter(
                       jwt -> {
@@ -128,7 +134,7 @@ public static void applyStatelessSharedConfig(HttpSecurity http) throws Exceptio
 
   private User ensureUserFromJwt(Jwt jwt) {
     String issuer = jwt.getIssuer() != null ? jwt.getIssuer().toString() : null;
-    IdStrategy strategy = pickStrategy(issuer);
+    IdentityProviderType providerType = resolveProviderType(issuer);
 
     String email = jwt.getClaimAsString("email");
     String upn = jwt.getClaimAsString("preferred_username");
@@ -139,10 +145,13 @@ private User ensureUserFromJwt(Jwt jwt) {
     String family = jwt.getClaimAsString("family_name");
 
     String username =
-        switch (strategy) {
-          case AZURE_AD -> firstNonBlank(localPart(upn), localPart(email), sub, oid);
-          case CLOUDFLARE -> firstNonBlank(localPart(email), sub, oid, localPart(upn));
-          case AUTO -> firstNonBlank(localPart(email), localPart(upn), sub, oid);
+        switch (providerType) {
+          case AZURE_AD ->
+              firstNonBlank(localPart(upn), localPart(email), sub, oid);
+          case CLOUDFLARE ->
+              firstNonBlank(localPart(email), sub, oid, localPart(upn));
+          case AUTO ->
+              firstNonBlank(localPart(email), localPart(upn), sub, oid);
         };
 
     if (!StringUtils.hasText(username)) {
@@ -158,17 +167,81 @@ private User ensureUserFromJwt(Jwt jwt) {
     return userService.getOrCreateOrUpdateBasicUser(username, given, family, name);
   }
 
-  private IdStrategy pickStrategy(String issuer) {
+  private String resolveAccessToken(HttpServletRequest request) {
+    if (request == null) {
+      return null;
+    }
+
+    CustomTokenHeader customTokenHeader = getCustomTokenHeader();
+    if (customTokenHeader == null) {
+      String token = defaultBearerTokenResolver.resolve(request);
+      if (StringUtils.hasText(token)) {
+        return token;
+      }
+      return null;
+    }
+
+    String headerValue = request.getHeader(customTokenHeader.name());
+    if (!StringUtils.hasText(headerValue)) {
+      return null;
+    }
+
+    String candidate = headerValue.trim();
+    if (!StringUtils.hasText(candidate)) {
+      return null;
+    }
+
+    String prefix = customTokenHeader.prefix();
+    if (!StringUtils.hasText(prefix)) {
+      return candidate;
+    }
+
+    if (candidate.startsWith(prefix)) {
+      String stripped = candidate.substring(prefix.length()).trim();
+      return StringUtils.hasText(stripped) ? stripped : null;
+    }
+
+    return null;
+  }
+
+  private CustomTokenHeader getCustomTokenHeader() {
+    SecurityConfig.Jwt jwtConfig = securityConfig.getJwt();
+    if (jwtConfig == null) {
+      return null;
+    }
+
+    String headerName = jwtConfig.getTokenHeaderName();
+    if (!StringUtils.hasText(headerName)) {
+      return null;
+    }
+
+    String name = headerName.trim();
+    if (!StringUtils.hasText(name)) {
+      return null;
+    }
+
+    String prefix = jwtConfig.getTokenHeaderPrefix();
+    if (StringUtils.hasText(prefix)) {
+      prefix = prefix.trim();
+      prefix = StringUtils.hasText(prefix) ? prefix : null;
+    } else {
+      prefix = null;
+    }
+
+    return new CustomTokenHeader(name, prefix);
+  }
+
+  private IdentityProviderType resolveProviderType(String issuer) {
     if (issuer == null) {
-      return IdStrategy.AUTO;
+      return IdentityProviderType.AUTO;
     }
     if (issuer.contains("login.microsoftonline.com")) {
-      return IdStrategy.AZURE_AD;
+      return IdentityProviderType.AZURE_AD;
     }
     if (issuer.contains("cloudflareaccess.com")) {
-      return IdStrategy.CLOUDFLARE;
+      return IdentityProviderType.CLOUDFLARE;
     }
-    return IdStrategy.AUTO;
+    return IdentityProviderType.AUTO;
   }
 
   private String firstNonBlank(String... values) {
@@ -194,12 +267,14 @@ private String localPart(String value) {
     return value.trim();
   }
 
-  private enum IdStrategy {
+  private enum IdentityProviderType {
     AUTO,
-      AZURE_AD,
-      CLOUDFLARE
+    AZURE_AD,
+    CLOUDFLARE
   }
 
+  private record CustomTokenHeader(String name, String prefix) {}
+
   static class StatelessAuthenticationToken extends AbstractAuthenticationToken {
 
     UserDetailsImpl userDetails;