cameleer/cameleer-server
1
0
Fork 0
Code Issues 41 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: read oidcTlsSkipVerify at call time instead of caching in constructor
Some checks failed
CI / cleanup-branch (push) Has been skipped
Details
CI / build (push) Successful in 1m13s
Details
CI / docker (push) Successful in 42s
Details
CI / deploy-feature (push) Has been skipped
Details
CI / deploy (push) Has been cancelled
Details

Browse Source 
OidcTokenExchanger cached securityProperties.isOidcTlsSkipVerify() in
the constructor as a boolean field. If Spring constructed the bean
before property binding completed, the cached value was false even when
the env var was set. SecurityConfig worked because it read the property
at call time. Now OidcTokenExchanger stores the SecurityProperties
reference and reads the flag on each call, matching SecurityConfig's
pattern.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-06 01:02:36 +02:00
parent 99e2a8354f
commit d7563902a7
1 changed files with 5 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
View File

@@ -51,7 +51,7 @@ public class OidcTokenExchanger {
private static final Logger log = LoggerFactory.getLogger(OidcTokenExchanger.class);
private final OidcConfigRepository configRepository;
private final boolean tlsSkipVerify;
private final SecurityProperties securityProperties;
private volatile String cachedIssuerUri;
private volatile OIDCProviderMetadata providerMetadata;
@@ -60,10 +60,7 @@ public class OidcTokenExchanger {
public OidcTokenExchanger(OidcConfigRepository configRepository,
SecurityProperties securityProperties) {
this.configRepository = configRepository;
this.tlsSkipVerify = securityProperties.isOidcTlsSkipVerify();
if (tlsSkipVerify) {
log.warn("OIDC TLS skip-verify enabled for token exchanger");
}
this.securityProperties = securityProperties;
}
public record OidcUserInfo(String subject, String email, String name, List<String> roles, String idToken) {}
@@ -88,7 +85,7 @@ public class OidcTokenExchanger {
);
var httpRequest = tokenRequest.toHTTPRequest();
if (tlsSkipVerify) {
if (securityProperties.isOidcTlsSkipVerify()) {
httpRequest.setSSLSocketFactory(InsecureTlsHelper.socketFactory());
httpRequest.setHostnameVerifier(InsecureTlsHelper.hostnameVerifier());
}
@@ -205,7 +202,7 @@ public class OidcTokenExchanger {
// .well-known/openid-configuration automatically, the user provides
// the complete URL.
URL discoveryUrl = new URI(issuerUri).toURL();
try (InputStream in = InsecureTlsHelper.openStream(discoveryUrl, tlsSkipVerify)) {
try (InputStream in = InsecureTlsHelper.openStream(discoveryUrl, securityProperties.isOidcTlsSkipVerify())) {
JSONObject json = (JSONObject) new JSONParser(JSONParser.DEFAULT_PERMISSIVE_MODE)
.parse(in);
providerMetadata = OIDCProviderMetadata.parse(json);
@@ -226,7 +223,7 @@ public class OidcTokenExchanger {
OIDCProviderMetadata metadata = getProviderMetadata(issuerUri);
URL jwksUrl = metadata.getJWKSetURI().toURL();
JWKSource<SecurityContext> jwkSource;
if (tlsSkipVerify) {
if (securityProperties.isOidcTlsSkipVerify()) {
var retriever = new DefaultResourceRetriever(5000, 5000, 0, true,
InsecureTlsHelper.socketFactory());
jwkSource = new RemoteJWKSet<>(jwksUrl, retriever);