spring-projects
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/DPoPAuthenticationConfigurer.java‎
Lines changed: 50 additions & 120 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/DPoPAuthenticationConfigurer.java‎
Lines changed: 50 additions & 120 deletions
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java‎
Lines changed: 21 additions & 3 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java‎
Lines changed: 21 additions & 3 deletions
diff --git a/‎config/src/main/kotlin/org/springframework/security/config/annotation/web/OAuth2ResourceServerDsl.kt‎
Lines changed: 35 additions & 0 deletions b/‎config/src/main/kotlin/org/springframework/security/config/annotation/web/OAuth2ResourceServerDsl.kt‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎config/src/main/kotlin/org/springframework/security/config/annotation/web/oauth2/resourceserver/DPoPDsl.kt‎
Lines changed: 50 additions & 0 deletions b/‎config/src/main/kotlin/org/springframework/security/config/annotation/web/oauth2/resourceserver/DPoPDsl.kt‎
Lines changed: 50 additions & 0 deletions
@@ -16,42 +16,24 @@
 
 package org.springframework.security.config.annotation.web.configurers.oauth2.server.resource;
 
-import java.util.Collections;
-import java.util.LinkedHashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
 import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
 
-import org.springframework.http.HttpHeaders;
-import org.springframework.http.HttpStatus;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationManagerResolver;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.oauth2.core.OAuth2AccessToken;
-import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
-import org.springframework.security.oauth2.core.OAuth2Error;
-import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
-import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
-import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
+import org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationProvider;
-import org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationToken;
-import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.oauth2.server.resource.web.DPoPAuthenticationEntryPoint;
+import org.springframework.security.oauth2.server.resource.web.DPoPRequestMatcher;
 import org.springframework.security.web.authentication.AuthenticationConverter;
 import org.springframework.security.web.authentication.AuthenticationEntryPointFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationFilter;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
 import org.springframework.security.web.util.matcher.RequestMatcher;
-import org.springframework.util.CollectionUtils;
-import org.springframework.util.StringUtils;
+import org.springframework.util.Assert;
 import org.springframework.web.context.request.RequestAttributes;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
@@ -61,12 +43,13 @@
  * (DPoP) support.
  *
  * @author Joe Grandja
+ * @author Max Batischev
  * @since 6.5
  * @see DPoPAuthenticationProvider
  * @see <a target="_blank" href="https://datatracker.ietf.org/doc/html/rfc9449">RFC 9449
  * OAuth 2.0 Demonstrating Proof of Possession (DPoP)</a>
  */
-final class DPoPAuthenticationConfigurer<B extends HttpSecurityBuilder<B>>
+public final class DPoPAuthenticationConfigurer<B extends HttpSecurityBuilder<B>>
 		extends AbstractHttpConfigurer<DPoPAuthenticationConfigurer<B>, B> {
 
 	private RequestMatcher requestMatcher;
@@ -108,6 +91,50 @@ private AuthenticationManager getTokenAuthenticationManager(B http) {
 		};
 	}
 
+	/**
+	 * Sets the {@link RequestMatcher} to use.
+	 * @param requestMatcher
+	 * @since 7.0
+	 */
+	public DPoPAuthenticationConfigurer<B> requestMatcher(RequestMatcher requestMatcher) {
+		Assert.notNull(requestMatcher, "requestMatcher cannot be null");
+		this.requestMatcher = requestMatcher;
+		return this;
+	}
+
+	/**
+	 * Sets the {@link AuthenticationConverter} to use.
+	 * @param authenticationConverter
+	 * @since 7.0
+	 */
+	public DPoPAuthenticationConfigurer<B> authenticationConverter(AuthenticationConverter authenticationConverter) {
+		Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
+		this.authenticationConverter = authenticationConverter;
+		return this;
+	}
+
+	/**
+	 * Sets the {@link AuthenticationFailureHandler} to use.
+	 * @param failureHandler
+	 * @since 7.0
+	 */
+	public DPoPAuthenticationConfigurer<B> failureHandler(AuthenticationFailureHandler failureHandler) {
+		Assert.notNull(failureHandler, "failureHandler cannot be null");
+		this.authenticationFailureHandler = failureHandler;
+		return this;
+	}
+
+	/**
+	 * Sets the {@link AuthenticationSuccessHandler} to use.
+	 * @param successHandler
+	 * @since 7.0
+	 */
+	public DPoPAuthenticationConfigurer<B> successHandler(AuthenticationSuccessHandler successHandler) {
+		Assert.notNull(successHandler, "successHandler cannot be null");
+		this.authenticationSuccessHandler = successHandler;
+		return this;
+	}
+
 	private RequestMatcher getRequestMatcher() {
 		if (this.requestMatcher == null) {
 			this.requestMatcher = new DPoPRequestMatcher();
@@ -139,101 +166,4 @@ private AuthenticationFailureHandler getAuthenticationFailureHandler() {
 		return this.authenticationFailureHandler;
 	}
 
-	private static final class DPoPRequestMatcher implements RequestMatcher {
-
-		@Override
-		public boolean matches(HttpServletRequest request) {
-			String authorization = request.getHeader(HttpHeaders.AUTHORIZATION);
-			if (!StringUtils.hasText(authorization)) {
-				return false;
-			}
-			return StringUtils.startsWithIgnoreCase(authorization, OAuth2AccessToken.TokenType.DPOP.getValue());
-		}
-
-	}
-
-	private static final class DPoPAuthenticationConverter implements AuthenticationConverter {
-
-		private static final Pattern AUTHORIZATION_PATTERN = Pattern.compile("^DPoP (?<token>[a-zA-Z0-9-._~+/]+=*)$",
-				Pattern.CASE_INSENSITIVE);
-
-		@Override
-		public Authentication convert(HttpServletRequest request) {
-			List<String> authorizationList = Collections.list(request.getHeaders(HttpHeaders.AUTHORIZATION));
-			if (CollectionUtils.isEmpty(authorizationList)) {
-				return null;
-			}
-			if (authorizationList.size() != 1) {
-				OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST,
-						"Found multiple Authorization headers.", null);
-				throw new OAuth2AuthenticationException(error);
-			}
-			String authorization = authorizationList.get(0);
-			if (!StringUtils.startsWithIgnoreCase(authorization, OAuth2AccessToken.TokenType.DPOP.getValue())) {
-				return null;
-			}
-			Matcher matcher = AUTHORIZATION_PATTERN.matcher(authorization);
-			if (!matcher.matches()) {
-				OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN, "DPoP access token is malformed.",
-						null);
-				throw new OAuth2AuthenticationException(error);
-			}
-			String accessToken = matcher.group("token");
-			List<String> dPoPProofList = Collections
-				.list(request.getHeaders(OAuth2AccessToken.TokenType.DPOP.getValue()));
-			if (CollectionUtils.isEmpty(dPoPProofList) || dPoPProofList.size() != 1) {
-				OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST,
-						"DPoP proof is missing or invalid.", null);
-				throw new OAuth2AuthenticationException(error);
-			}
-			String dPoPProof = dPoPProofList.get(0);
-			return new DPoPAuthenticationToken(accessToken, dPoPProof, request.getMethod(),
-					request.getRequestURL().toString());
-		}
-
-	}
-
-	private static final class DPoPAuthenticationEntryPoint implements AuthenticationEntryPoint {
-
-		@Override
-		public void commence(HttpServletRequest request, HttpServletResponse response,
-				AuthenticationException authenticationException) {
-			Map<String, String> parameters = new LinkedHashMap<>();
-			if (authenticationException instanceof OAuth2AuthenticationException oauth2AuthenticationException) {
-				OAuth2Error error = oauth2AuthenticationException.getError();
-				parameters.put(OAuth2ParameterNames.ERROR, error.getErrorCode());
-				if (StringUtils.hasText(error.getDescription())) {
-					parameters.put(OAuth2ParameterNames.ERROR_DESCRIPTION, error.getDescription());
-				}
-				if (StringUtils.hasText(error.getUri())) {
-					parameters.put(OAuth2ParameterNames.ERROR_URI, error.getUri());
-				}
-			}
-			parameters.put("algs",
-					JwsAlgorithms.RS256 + " " + JwsAlgorithms.RS384 + " " + JwsAlgorithms.RS512 + " "
-							+ JwsAlgorithms.PS256 + " " + JwsAlgorithms.PS384 + " " + JwsAlgorithms.PS512 + " "
-							+ JwsAlgorithms.ES256 + " " + JwsAlgorithms.ES384 + " " + JwsAlgorithms.ES512);
-			String wwwAuthenticate = toWWWAuthenticateHeader(parameters);
-			response.addHeader(HttpHeaders.WWW_AUTHENTICATE, wwwAuthenticate);
-			response.setStatus(HttpStatus.UNAUTHORIZED.value());
-		}
-
-		private static String toWWWAuthenticateHeader(Map<String, String> parameters) {
-			StringBuilder wwwAuthenticate = new StringBuilder();
-			wwwAuthenticate.append(OAuth2AccessToken.TokenType.DPOP.getValue());
-			if (!parameters.isEmpty()) {
-				wwwAuthenticate.append(" ");
-				int i = 0;
-				for (Map.Entry<String, String> entry : parameters.entrySet()) {
-					wwwAuthenticate.append(entry.getKey()).append("=\"").append(entry.getValue()).append("\"");
-					if (i++ != parameters.size() - 1) {
-						wwwAuthenticate.append(", ");
-					}
-				}
-			}
-			return wwwAuthenticate.toString();
-		}
-
-	}
-
 }
@@ -146,6 +146,7 @@
  * @author Josh Cummings
  * @author Evgeniy Cheban
  * @author Jerome Wacongne &lt;ch4mp@c4-soft.com&gt;
+ * @author Max Batischev
  * @since 5.1
  * @see BearerTokenAuthenticationFilter
  * @see JwtAuthenticationProvider
@@ -168,6 +169,8 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 
 	private final ApplicationContext context;
 
+	private DPoPAuthenticationConfigurer<H> dPoPAuthenticationConfigurer;
+
 	private AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver;
 
 	private AuthenticationConverter authenticationConverter;
@@ -268,6 +271,22 @@ public OAuth2ResourceServerConfigurer<H> protectedResourceMetadata(
 		return this;
 	}
 
+	/**
+	 * Enables DPoP support.
+	 * @param dpopAuthenticatioCustomizer the {@link Customizer} to provide more options
+	 * for the {@link DPoPAuthenticationConfigurer}
+	 * @return the {@link OAuth2ResourceServerConfigurer} for further customizations
+	 * @since 7.0
+	 */
+	public OAuth2ResourceServerConfigurer<H> dpop(
+			Customizer<DPoPAuthenticationConfigurer<H>> dpopAuthenticatioCustomizer) {
+		if (this.dPoPAuthenticationConfigurer == null) {
+			this.dPoPAuthenticationConfigurer = new DPoPAuthenticationConfigurer<>();
+		}
+		dpopAuthenticatioCustomizer.customize(this.dPoPAuthenticationConfigurer);
+		return this;
+	}
+
 	@Override
 	public void init(H http) {
 		validateConfiguration();
@@ -296,9 +315,8 @@ public void configure(H http) {
 		filter = postProcess(filter);
 		http.addFilter(filter);
 
-		if (dPoPAuthenticationAvailable) {
-			DPoPAuthenticationConfigurer<H> dPoPAuthenticationConfigurer = new DPoPAuthenticationConfigurer<>();
-			dPoPAuthenticationConfigurer.configure(http);
+		if (dPoPAuthenticationAvailable && this.dPoPAuthenticationConfigurer != null) {
+			this.dPoPAuthenticationConfigurer.configure(http);
 		}
 
 		OAuth2ProtectedResourceMetadataFilter protectedResourceMetadataFilter = new OAuth2ProtectedResourceMetadataFilter();
 
@@ -25,12 +25,15 @@ import org.springframework.security.oauth2.server.resource.web.BearerTokenResolv
 import org.springframework.security.web.AuthenticationEntryPoint
 import org.springframework.security.web.access.AccessDeniedHandler
 import jakarta.servlet.http.HttpServletRequest
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.DPoPAuthenticationConfigurer
+import org.springframework.security.config.annotation.web.oauth2.resourceserver.DPoPDsl
 
 /**
  * A Kotlin DSL to configure [HttpSecurity] OAuth 2.0 resource server support using
  * idiomatic Kotlin code.
  *
  * @author Eleftheria Stein
+ * @author Max Batischev
  * @since 5.3
  * @property accessDeniedHandler the [AccessDeniedHandler] to use for requests authenticating
  * with <a href="https://tools.ietf.org/html/rfc6750#section-1.2" target="_blank">Bearer Token</a>s.
@@ -48,6 +51,7 @@ class OAuth2ResourceServerDsl {
 
     private var jwt: ((OAuth2ResourceServerConfigurer<HttpSecurity>.JwtConfigurer) -> Unit)? = null
     private var opaqueToken: ((OAuth2ResourceServerConfigurer<HttpSecurity>.OpaqueTokenConfigurer) -> Unit)? = null
+    private var dpop: ((DPoPAuthenticationConfigurer<HttpSecurity>) -> Unit)? = null
 
     /**
      * Enables JWT-encoded bearer token support.
@@ -109,6 +113,36 @@ class OAuth2ResourceServerDsl {
         this.opaqueToken = OpaqueTokenDsl().apply(opaqueTokenConfig).get()
     }
 
+    /**
+     * Enables DPoP support.
+     *
+     * Example:
+     *
+     * ```
+     * @Configuration
+     * @EnableWebSecurity
+     * class SecurityConfig {
+     *
+     *     @Bean
+     *     fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
+     *         http {
+     *             oauth2ResourceServer {
+     *                 dpop { }
+     *             }
+     *         }
+     *         return http.build()
+     *     }
+     * }
+     * ```
+     *
+     * @param dpopConfig custom configurations to configure DPoP support
+     * @see [DPoPDsl]
+     * @since 7.0
+     */
+    fun dpop(dpopConfig: DPoPDsl.() -> Unit) {
+        this.dpop = DPoPDsl().apply(dpopConfig).get()
+    }
+
     internal fun get(): (OAuth2ResourceServerConfigurer<HttpSecurity>) -> Unit {
         return { oauth2ResourceServer ->
             accessDeniedHandler?.also { oauth2ResourceServer.accessDeniedHandler(accessDeniedHandler) }
@@ -117,6 +151,7 @@ class OAuth2ResourceServerDsl {
             authenticationManagerResolver?.also { oauth2ResourceServer.authenticationManagerResolver(authenticationManagerResolver) }
             jwt?.also { oauth2ResourceServer.jwt(jwt) }
             opaqueToken?.also { oauth2ResourceServer.opaqueToken(opaqueToken) }
+            dpop?.also { oauth2ResourceServer.dpop(dpop) }
         }
     }
 }
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.oauth2.resourceserver
+
+import org.springframework.security.config.annotation.web.builders.HttpSecurity
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.DPoPAuthenticationConfigurer
+import org.springframework.security.web.authentication.AuthenticationConverter
+import org.springframework.security.web.authentication.AuthenticationFailureHandler
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler
+import org.springframework.security.web.util.matcher.RequestMatcher
+
+/**
+ * A Kotlin DSL to configure DPoP support using idiomatic Kotlin code.
+ *
+ * @author Max Batischev
+ * @property requestMatcher the [RequestMatcher] to use.
+ * @property authenticationConverter the [AuthenticationConverter] to use.
+ * @property successHandler the [AuthenticationSuccessHandler] to use.
+ * @property failureHandler the [AuthenticationFailureHandler] to use.
+ * @since 7.0
+ */
+class DPoPDsl {
+    var requestMatcher: RequestMatcher? = null
+    var authenticationConverter: AuthenticationConverter? = null
+    var successHandler: AuthenticationSuccessHandler? = null
+    var failureHandler: AuthenticationFailureHandler? = null
+
+    internal fun get(): (DPoPAuthenticationConfigurer<HttpSecurity>) -> Unit {
+        return { dpop ->
+            requestMatcher?.also { dpop.requestMatcher(requestMatcher) }
+            authenticationConverter?.also { dpop.authenticationConverter(authenticationConverter) }
+            successHandler?.also { dpop.successHandler(successHandler) }
+            failureHandler?.also { dpop.failureHandler(failureHandler) }
+        }
+    }
+}