From 98c05b51552040ee2f0336d1aaaebd0693717293 Mon Sep 17 00:00:00 2001 From: Tran Ngoc Nhan Date: Thu, 25 Jun 2026 15:42:42 +0700 Subject: [PATCH 1/3] Fix TokenType comparison logic Closes gh-19377 Signed-off-by: Tran Ngoc Nhan --- .../authentication/BearerTokenAuthentication.java | 2 +- .../BearerTokenAuthenticationTests.java | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthentication.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthentication.java index 0da2633c7a8..d09c602ce5f 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthentication.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthentication.java @@ -53,7 +53,7 @@ public class BearerTokenAuthentication extends AbstractOAuth2TokenAuthentication public BearerTokenAuthentication(OAuth2AuthenticatedPrincipal principal, OAuth2AccessToken credentials, Collection authorities) { super(credentials, principal, credentials, authorities); - Assert.isTrue(credentials.getTokenType() == OAuth2AccessToken.TokenType.BEARER, + Assert.isTrue(OAuth2AccessToken.TokenType.BEARER.equals(credentials.getTokenType()), "credentials must be a bearer token"); this.attributes = Collections.unmodifiableMap(new LinkedHashMap<>(principal.getAttributes())); setAuthenticated(true); diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthenticationTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthenticationTests.java index 9ae84282d1d..da66f3b0343 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthenticationTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthenticationTests.java @@ -173,4 +173,18 @@ public void toBuilderWhenApplyThenCopies() { assertThat(authorities).containsExactlyInAnyOrder("FACTOR_ONE", "FACTOR_TWO"); } + // gh-19377 + @Test + public void compareTokenType() { + Instant current = Instant.now(); + Instant after1hour = Instant.now().plusSeconds(3600); + OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(new OAuth2AccessToken.TokenType("Bearer"), "token", + current, after1hour); + BearerTokenAuthentication authenticated = new BearerTokenAuthentication(principal, oAuth2AccessToken, + this.authorities); + assertThat(authenticated.getName()).isEqualTo(this.name); + assertThat(authenticated.getCredentials()) + .isEqualTo(new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "token", current, after1hour)); + } + } From 43478e3d44c58b93a954b5e7415bc65c09efab01 Mon Sep 17 00:00:00 2001 From: Tran Ngoc Nhan Date: Sat, 27 Jun 2026 20:03:09 +0700 Subject: [PATCH 2/3] Fix checkstyle Signed-off-by: Tran Ngoc Nhan --- .../resource/authentication/BearerTokenAuthenticationTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthenticationTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthenticationTests.java index da66f3b0343..4a171140de9 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthenticationTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthenticationTests.java @@ -180,7 +180,7 @@ public void compareTokenType() { Instant after1hour = Instant.now().plusSeconds(3600); OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(new OAuth2AccessToken.TokenType("Bearer"), "token", current, after1hour); - BearerTokenAuthentication authenticated = new BearerTokenAuthentication(principal, oAuth2AccessToken, + BearerTokenAuthentication authenticated = new BearerTokenAuthentication(this.principal, oAuth2AccessToken, this.authorities); assertThat(authenticated.getName()).isEqualTo(this.name); assertThat(authenticated.getCredentials()) From 51bfd9d749b3f0f250d9cea2619d9a01529ce334 Mon Sep 17 00:00:00 2001 From: Tran Ngoc Nhan Date: Mon, 29 Jun 2026 14:32:31 +0700 Subject: [PATCH 3/3] Fix TokenType comparison logic in `BearerTokenAuthentication.Builder#token` Signed-off-by: Tran Ngoc Nhan --- .../BearerTokenAuthentication.java | 3 ++- .../BearerTokenAuthenticationTests.java | 16 +++++++++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthentication.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthentication.java index d09c602ce5f..59c230ecf7e 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthentication.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthentication.java @@ -121,7 +121,8 @@ public B credentials(@Nullable Object token) { */ @Override public B token(OAuth2AccessToken token) { - Assert.isTrue(token.getTokenType() == OAuth2AccessToken.TokenType.BEARER, "token must be a bearer token"); + Assert.isTrue(OAuth2AccessToken.TokenType.BEARER.equals(token.getTokenType()), + "token must be a bearer token"); super.credentials(token); return super.token(token); } diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthenticationTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthenticationTests.java index 4a171140de9..424b84285c4 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthenticationTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/BearerTokenAuthenticationTests.java @@ -175,7 +175,7 @@ public void toBuilderWhenApplyThenCopies() { // gh-19377 @Test - public void compareTokenType() { + public void compareCredentialsHasBearerTokenType() { Instant current = Instant.now(); Instant after1hour = Instant.now().plusSeconds(3600); OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(new OAuth2AccessToken.TokenType("Bearer"), "token", @@ -187,4 +187,18 @@ public void compareTokenType() { .isEqualTo(new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "token", current, after1hour)); } + // gh-19377 + @Test + public void toBuilderCompareCredentialsHasBearerTokenType() { + Instant current = Instant.now(); + Instant after1hour = Instant.now().plusSeconds(3600); + OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(new OAuth2AccessToken.TokenType("Bearer"), "token", + current, after1hour); + BearerTokenAuthentication token = new BearerTokenAuthentication(this.principal, this.token, this.authorities); + BearerTokenAuthentication authenticated = token.toBuilder().token(oAuth2AccessToken).build(); + assertThat(authenticated.getName()).isEqualTo(this.name); + assertThat(authenticated.getCredentials()) + .isEqualTo(new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "token", current, after1hour)); + } + }