From 98b6da1b1b586f27f5d9a3a4bd1a3c07e2383173 Mon Sep 17 00:00:00 2001 From: CHANHAN <130114269+chanani@users.noreply.github.com> Date: Fri, 3 Apr 2026 10:30:10 +0900 Subject: [PATCH 1/2] Fix : Wrap IllegalStateException as BadJwtException in NimbusJwtDecoder Previously, an invalid issuer caused IllegalStateException to propagate instead of BadJwtException, preventing AuthenticationEntryPoint from being invoked. Closes gh-18388 Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com> --- .../security/oauth2/jwt/NimbusJwtDecoder.java | 4 ++++ .../oauth2/jwt/NimbusJwtDecoderTests.java | 18 ++++++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java index 5fb07130e1c..8aa11dba43d 100644 --- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java +++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java @@ -183,6 +183,10 @@ private Jwt createJwt(String token, JWT parsedJwt) { this.logger.trace("Failed to process JWT", ex); throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex); } + catch (IllegalStateException ex) { + this.logger.trace("Failed to validate issuer", ex); + throw new BadJwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex); + } catch (Exception ex) { this.logger.trace("Failed to process JWT", ex); if (ex.getCause() instanceof ParseException) { diff --git a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderTests.java b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderTests.java index c1866720a48..db935f6b4fc 100644 --- a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderTests.java +++ b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderTests.java @@ -49,6 +49,7 @@ import com.nimbusds.jose.proc.JWSKeySelector; import com.nimbusds.jose.proc.JWSVerificationKeySelector; import com.nimbusds.jose.proc.SecurityContext; +import com.nimbusds.jwt.JWT; import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.SignedJWT; import com.nimbusds.jwt.proc.BadJWTException; @@ -80,8 +81,7 @@ import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; import static org.assertj.core.api.Assertions.assertThatIllegalStateException; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.ArgumentMatchers.eq; +import static org.mockito.ArgumentMatchers.*; import static org.mockito.BDDMockito.given; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.times; @@ -879,6 +879,20 @@ public void decodeWhenSecretKeyValidateTypeFalseThenSkipsNimbusTypeValidation() jwtDecoder.decode(jwt.serialize()); } + // gh-18388 + @Test + public void decodeWhenIllegalStateExceptionThenThrowsBadJwtException() throws Exception { + JWTProcessor jwtProcessor = mock(JWTProcessor.class); + given(jwtProcessor.process(any(JWT.class), isNull())).willThrow(new IllegalStateException()); + NimbusJwtDecoder jwtDecoder = new NimbusJwtDecoder(jwtProcessor); + // @formatter:off + assertThatExceptionOfType(BadJwtException.class) + .isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT)) + .withCauseInstanceOf(IllegalStateException.class) + .withMessageContaining("An error occurred while attempting to decode the Jwt"); + // @formatter:on + } + private RSAPublicKey key() throws InvalidKeySpecException { byte[] decoded = Base64.getDecoder().decode(VERIFY_KEY.getBytes()); EncodedKeySpec spec = new X509EncodedKeySpec(decoded); From 2b8669d78cd6ca403ce0d83dd798a100d37a2d25 Mon Sep 17 00:00:00 2001 From: CHANHAN <130114269+chanani@users.noreply.github.com> Date: Fri, 3 Apr 2026 10:56:23 +0900 Subject: [PATCH 2/2] fix : Replace wildcard import with explicit imports in NimbusJwtDecoderTests Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com> --- .../security/oauth2/jwt/NimbusJwtDecoderTests.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderTests.java b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderTests.java index db935f6b4fc..18e168517a8 100644 --- a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderTests.java +++ b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderTests.java @@ -81,7 +81,9 @@ import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; import static org.assertj.core.api.Assertions.assertThatIllegalStateException; -import static org.mockito.ArgumentMatchers.*; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.eq; +import static org.mockito.ArgumentMatchers.isNull; import static org.mockito.BDDMockito.given; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.times;