Skip to content

Make X509CertificateThumbprintValidator to be public and non-final class #17178

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Make X509CertificateThumbprintValidator to be public and non-final class #17178

wants to merge 1 commit into from

Conversation

edmundham
Copy link

gh-17131

Make X509CertificateThumbprintValidator to be public and non-final class

With the current package visibility and final class, it is not usable with JwtValidators#createDefaultWithValidators. JwtValidators#createDefaultWithValidators is following, as of v6.4.6:

	public static OAuth2TokenValidator<Jwt> createDefaultWithValidators(List<OAuth2TokenValidator<Jwt>> validators) {
		Assert.notEmpty(validators, "validators cannot be null or empty");
		List<OAuth2TokenValidator<Jwt>> tokenValidators = new ArrayList<>(validators);
		X509CertificateThumbprintValidator x509CertificateThumbprintValidator = CollectionUtils
			.findValueOfType(tokenValidators, X509CertificateThumbprintValidator.class);
		if (x509CertificateThumbprintValidator == null) {
			tokenValidators.add(0, new X509CertificateThumbprintValidator(
					X509CertificateThumbprintValidator.DEFAULT_X509_CERTIFICATE_SUPPLIER));
		}
		JwtTimestampValidator jwtTimestampValidator = CollectionUtils.findValueOfType(tokenValidators,
				JwtTimestampValidator.class);
		if (jwtTimestampValidator == null) {
			tokenValidators.add(0, new JwtTimestampValidator());
		}
		return new DelegatingOAuth2TokenValidator<>(tokenValidators);
	}

By looking at this, I could understand the purpose is for consumer to have their own implementation of X509CertificateThumbprintValidator. However, currently that is not possible. This PR is to let consumers customize or build their own implementation of X509CertificateThumbprintValidator and keep using other default validators provided by Spring Security.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 28, 2025
@jzheaux jzheaux mentioned this pull request May 28, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@edmundham @spring-projects-issues