Add BadJwtException

Updated NimbusJwtDecoder and NimbusReactiveJwtDecoder to throw.
Updated JwtAuthenticationProvider and JwtReactiveAuthenticationManager
to catch.

Fixes gh-7885

Author: jzheaux

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java

@@ -94,6 +94,7 @@
 import org.springframework.security.oauth2.core.OAuth2TokenValidator;
 import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
 import org.springframework.security.oauth2.jose.TestKeys;
+import org.springframework.security.oauth2.jwt.BadJwtException;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.jwt.JwtException;
@@ -256,7 +257,7 @@ public void getWhenUsingDefaultsWithBadJwkEndpointThenInvalidToken()
 
 		this.mvc.perform(get("/").with(bearerToken(token)))
 				.andExpect(status().isUnauthorized())
-				.andExpect(invalidTokenHeader("An error occurred while attempting to decode the Jwt: Malformed Jwk set"));
+				.andExpect(header().string("WWW-Authenticate", "Bearer"));
 	}
 
 	@Test
@@ -269,7 +270,7 @@ public void getWhenUsingDefaultsWithUnavailableJwkEndpointThenInvalidToken()
 
 		this.mvc.perform(get("/").with(bearerToken(token)))
 				.andExpect(status().isUnauthorized())
-				.andExpect(invalidTokenHeader("Invalid token"));
+				.andExpect(header().string("WWW-Authenticate", "Bearer"));
 	}
 
 	@Test
@@ -1099,7 +1100,7 @@ public void requestWhenUsingCustomAuthenticationEventPublisherThenUses() throws
 		this.spring.register(CustomAuthenticationEventPublisher.class).autowire();
 
 		when(bean(JwtDecoder.class).decode(anyString()))
-				.thenThrow(new JwtException("problem"));
+				.thenThrow(new BadJwtException("problem"));
 
 		this.mvc.perform(get("/").with(bearerToken("token")));
 

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/BadJwtException.java

@@ -0,0 +1,34 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.jwt;
+
+/**
+ * An exception similar to {@link org.springframework.security.authentication.BadCredentialsException}
+ * that indicates a {@link Jwt} that is invalid in some way.
+ *
+ * @author Josh Cummings
+ * @since 5.3
+ */
+public class BadJwtException extends JwtException {
+	public BadJwtException(String message) {
+		super(message);
+	}
+
+	public BadJwtException(String message, Throwable cause) {
+		super(message, cause);
+	}
+}

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtValidationException.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,7 +29,7 @@
  * @author Josh Cummings
  * @since 5.1
  */
-public class JwtValidationException extends JwtException {
+public class JwtValidationException extends BadJwtException {
 	private final Collection<OAuth2Error> errors;
 
 	/**

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,6 +31,7 @@
 import java.util.function.Consumer;
 import javax.crypto.SecretKey;
 
+import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.RemoteKeySourceException;
 import com.nimbusds.jose.jwk.source.JWKSource;
@@ -120,7 +121,7 @@ public void setClaimSetConverter(Converter<Map<String, Object>, Map<String, Obje
 	public Jwt decode(String token) throws JwtException {
 		JWT jwt = parse(token);
 		if (jwt instanceof PlainJWT) {
-			throw new JwtException("Unsupported algorithm of " + jwt.getHeader().getAlgorithm());
+			throw new BadJwtException("Unsupported algorithm of " + jwt.getHeader().getAlgorithm());
 		}
 		Jwt createdJwt = createJwt(token, jwt);
 		return validateJwt(createdJwt);
@@ -130,7 +131,7 @@ private JWT parse(String token) {
 		try {
 			return JWTParser.parse(token);
 		} catch (Exception ex) {
-			throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex);
+			throw new BadJwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex);
 		}
 	}
 
@@ -152,11 +153,13 @@ private Jwt createJwt(String token, JWT parsedJwt) {
 			} else {
 				throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex);
 			}
+		} catch (JOSEException ex) {
+			throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex);
 		} catch (Exception ex) {
 			if (ex.getCause() instanceof ParseException) {
-				throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, "Malformed payload"));
+				throw new BadJwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, "Malformed payload"));
 			} else {
-				throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex);
+				throw new BadJwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex);
 			}
 		}
 	}

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusReactiveJwtDecoder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -136,7 +136,7 @@ public void setClaimSetConverter(Converter<Map<String, Object>, Map<String, Obje
 	public Mono<Jwt> decode(String token) throws JwtException {
 		JWT jwt = parse(token);
 		if (jwt instanceof PlainJWT) {
-			throw new JwtException("Unsupported algorithm of " + jwt.getHeader().getAlgorithm());
+			throw new BadJwtException("Unsupported algorithm of " + jwt.getHeader().getAlgorithm());
 		}
 		return this.decode(jwt);
 	}
@@ -145,7 +145,7 @@ private JWT parse(String token) {
 		try {
 			return JWTParser.parse(token);
 		} catch (Exception ex) {
-			throw new JwtException("An error occurred while attempting to decode the Jwt: " + ex.getMessage(), ex);
+			throw new BadJwtException("An error occurred while attempting to decode the Jwt: " + ex.getMessage(), ex);
 		}
 	}
 
@@ -155,19 +155,25 @@ private Mono<Jwt> decode(JWT parsedToken) {
 				.map(set -> createJwt(parsedToken, set))
 				.map(this::validateJwt)
 				.onErrorMap(e -> !(e instanceof IllegalStateException) && !(e instanceof JwtException), e -> new JwtException("An error occurred while attempting to decode the Jwt: ", e));
+		} catch (JwtException ex) {
+			throw ex;
 		} catch (RuntimeException ex) {
 			throw new JwtException("An error occurred while attempting to decode the Jwt: " + ex.getMessage(), ex);
 		}
 	}
 
 	private Jwt createJwt(JWT parsedJwt, JWTClaimsSet jwtClaimsSet) {
-		Map<String, Object> headers = new LinkedHashMap<>(parsedJwt.getHeader().toJSONObject());
-		Map<String, Object> claims = this.claimSetConverter.convert(jwtClaimsSet.getClaims());
+		try {
+			Map<String, Object> headers = new LinkedHashMap<>(parsedJwt.getHeader().toJSONObject());
+			Map<String, Object> claims = this.claimSetConverter.convert(jwtClaimsSet.getClaims());
 
-		return Jwt.withTokenValue(parsedJwt.getParsedString())
-				.headers(h -> h.putAll(headers))
-				.claims(c -> c.putAll(claims))
-				.build();
+			return Jwt.withTokenValue(parsedJwt.getParsedString())
+					.headers(h -> h.putAll(headers))
+					.claims(c -> c.putAll(claims))
+					.build();
+		} catch (Exception ex) {
+			throw new BadJwtException("An error occurred while attempting to decode the Jwt: " + ex.getMessage(), ex);
+		}
 	}
 
 	private Jwt validateJwt(Jwt jwt) {
@@ -345,7 +351,7 @@ private Set<JWSAlgorithm> getExpectedJwsAlgorithms(JWSKeySelector<?> jwsKeySelec
 
 		private JWKSelector createSelector(Set<JWSAlgorithm> expectedJwsAlgorithms, Header header) {
 			if (!expectedJwsAlgorithms.contains(header.getAlgorithm())) {
-				throw new JwtException("Unsupported algorithm of " + header.getAlgorithm());
+				throw new BadJwtException("Unsupported algorithm of " + header.getAlgorithm());
 			}
 
 			return new JWKSelector(JWKMatcher.forJWSHeader((JWSHeader) header));
@@ -514,7 +520,7 @@ Converter<JWT, Mono<JWTClaimsSet>> processor() {
 							.collectList()
 							.map(jwks -> createClaimsSet(jwtProcessor, jwt, new JWKSecurityContext(jwks)));
 				}
-				throw new JwtException("Unsupported algorithm of " + jwt.getHeader().getAlgorithm());
+				throw new BadJwtException("Unsupported algorithm of " + jwt.getHeader().getAlgorithm());
 			};
 		}
 	}
@@ -524,7 +530,10 @@ private static <C extends SecurityContext> JWTClaimsSet createClaimsSet(JWTProce
 		try {
 			return jwtProcessor.process(parsedToken, context);
 		}
-		catch (BadJOSEException | JOSEException e) {
+		catch (BadJOSEException e) {
+			throw new BadJwtException("Failed to validate the token", e);
+		}
+		catch (JOSEException e) {
 			throw new JwtException("Failed to validate the token", e);
 		}
 	}

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/SingleKeyJWSKeySelector.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -47,7 +47,7 @@ final class SingleKeyJWSKeySelector<C extends SecurityContext> implements JWSKey
 	@Override
 	public List<? extends Key> selectJWSKeys(JWSHeader header, C context) {
 		if (!this.expectedJwsAlgorithm.equals(header.getAlgorithm())) {
-			throw new IllegalArgumentException("Unsupported algorithm of " + header.getAlgorithm());
+			throw new BadJwtException("Unsupported algorithm of " + header.getAlgorithm());
 		}
 		return this.keySet;
 	}

oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -132,7 +132,7 @@ public void setJwtValidatorWhenNullThenThrowIllegalArgumentException() {
 	@Test
 	public void decodeWhenJwtInvalidThenThrowJwtException() {
 		assertThatThrownBy(() -> this.jwtDecoder.decode("invalid"))
-				.isInstanceOf(JwtException.class);
+				.isInstanceOf(BadJwtException.class);
 	}
 
 	// gh-5168
@@ -152,14 +152,14 @@ public void decodeWhenIatClaimNullThenDoesNotThrowException() {
 	@Test
 	public void decodeWhenPlainJwtThenExceptionDoesNotMentionClass() {
 		assertThatCode(() -> this.jwtDecoder.decode(UNSIGNED_JWT))
-				.isInstanceOf(JwtException.class)
+				.isInstanceOf(BadJwtException.class)
 				.hasMessageContaining("Unsupported algorithm of none");
 	}
 
 	@Test
 	public void decodeWhenJwtIsMalformedThenReturnsStockException() {
 		assertThatCode(() -> this.jwtDecoder.decode(MALFORMED_JWT))
-				.isInstanceOf(JwtException.class)
+				.isInstanceOf(BadJwtException.class)
 				.hasMessage("An error occurred while attempting to decode the Jwt: Malformed payload");
 	}
 
@@ -205,6 +205,18 @@ public void decodeWhenUsingSignedJwtThenReturnsClaimsGivenByClaimSetConverter()
 		assertThat(jwt.getClaims().get("custom")).isEqualTo("value");
 	}
 
+	// gh-7885
+	@Test
+	public void decodeWhenClaimSetConverterFailsThenBadJwtException() {
+		Converter<Map<String, Object>, Map<String, Object>> claimSetConverter = mock(Converter.class);
+		this.jwtDecoder.setClaimSetConverter(claimSetConverter);
+
+		when(claimSetConverter.convert(any(Map.class))).thenThrow(new IllegalArgumentException("bad conversion"));
+
+		assertThatCode(() -> this.jwtDecoder.decode(SIGNED_JWT))
+				.isInstanceOf(BadJwtException.class);
+	}
+
 	@Test
 	public void decodeWhenSignedThenOk() {
 		NimbusJwtDecoder jwtDecoder = new NimbusJwtDecoder(withSigning(JWK_SET));
@@ -217,6 +229,7 @@ public void decodeWhenJwkResponseIsMalformedThenReturnsStockException() {
 		NimbusJwtDecoder jwtDecoder = new NimbusJwtDecoder(withSigning(MALFORMED_JWK_SET));
 		assertThatCode(() -> jwtDecoder.decode(SIGNED_JWT))
 				.isInstanceOf(JwtException.class)
+				.isNotInstanceOf(BadJwtException.class)
 				.hasMessage("An error occurred while attempting to decode the Jwt: Malformed Jwk set");
 	}
 
@@ -229,6 +242,7 @@ public void decodeWhenJwkEndpointIsUnresponsiveThenReturnsJwtException() throws
 			server.shutdown();
 			assertThatCode(() -> jwtDecoder.decode(SIGNED_JWT))
 					.isInstanceOf(JwtException.class)
+					.isNotInstanceOf(BadJwtException.class)
 					.hasMessageContaining("An error occurred while attempting to decode the Jwt");
 		}
 	}
@@ -301,7 +315,7 @@ public void decodeWhenUsingPublicKeyWithKidThenStillUsesKey() throws Exception {
 	public void decodeWhenSignatureMismatchesAlgorithmThenThrowsException() throws Exception {
 		NimbusJwtDecoder decoder = withPublicKey(key()).signatureAlgorithm(SignatureAlgorithm.RS512).build();
 		Assertions.assertThatCode(() -> decoder.decode(RS256_SIGNED_JWT))
-				.isInstanceOf(JwtException.class);
+				.isInstanceOf(BadJwtException.class);
 	}
 
 	@Test
@@ -345,7 +359,7 @@ public void decodeWhenUsingSecretKeyAndIncorrectAlgorithmThenThrowsJwtException(
 		SignedJWT signedJWT = signedJwt(secretKey, macAlgorithm, claimsSet);
 		NimbusJwtDecoder decoder = withSecretKey(secretKey).macAlgorithm(MacAlgorithm.HS512).build();
 		assertThatThrownBy(() -> decoder.decode(signedJWT.serialize()))
-				.isInstanceOf(JwtException.class)
+				.isInstanceOf(BadJwtException.class)
 				.hasMessageContaining("Unsupported algorithm of HS256");
 	}