Improve authoritiesClaimName validation in JwtGrantedAuthoritiesConverter

Use StringUtils.hasText() instead of null check to properly handle empty strings and whitespace-only strings.

Signed-off-by: chanbinme <[email protected]>

Author: chanbinme

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtGrantedAuthoritiesConverter.java

@@ -106,7 +106,7 @@ public void setAuthoritiesClaimName(String authoritiesClaimName) {
 	}
 
 	private String getAuthoritiesClaimName(Jwt jwt) {
-		if (this.authoritiesClaimName != null) {
+		if (StringUtils.hasText(this.authoritiesClaimName)) {
 			return this.authoritiesClaimName;
 		}
 		for (String claimName : WELL_KNOWN_AUTHORITIES_CLAIM_NAMES) {

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtGrantedAuthoritiesConverterTests.java

@@ -21,11 +21,15 @@
 import java.util.Collections;
 
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.NullSource;
+import org.junit.jupiter.params.provider.ValueSource;
 
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.TestJwts;
+import org.springframework.test.util.ReflectionTestUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
@@ -270,4 +274,21 @@ public void convertWithCustomAuthoritiesSplitRegexWhenTokenHasScopeAttributeThen
 				new SimpleGrantedAuthority("SCOPE_message:write"));
 	}
 
+	@ParameterizedTest
+	@ValueSource(strings = { "", "   " })
+	@NullSource
+	public void convertWhenAuthoritiesClaimNameIsBlankThenUsesWellKnownClaims(String invalidClaimName)
+			throws Exception {
+		// @formatter:off
+		Jwt jwt = TestJwts.jwt()
+				.claim("scope", "message:read message:write")
+				.build();
+		// @formatter:on
+		JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
+		ReflectionTestUtils.setField(jwtGrantedAuthoritiesConverter, "authoritiesClaimName", invalidClaimName);
+		Collection<GrantedAuthority> authorities = jwtGrantedAuthoritiesConverter.convert(jwt);
+		assertThat(authorities).containsExactly(new SimpleGrantedAuthority("SCOPE_message:read"),
+				new SimpleGrantedAuthority("SCOPE_message:write"));
+	}
+
 }