Spring Security Consider providing setter of authenticationDetailsSource field in BearerTokenAuthenticationFilter

Expected Behavior

A custom AuthenticationDetailsSource can be injected into BearerTokenAuthenticationFilter.

Current Behavior

The authenticationDetailsSource field is final so it can't.

Context

In order to authenticate with bearer token, I'm writing an AuthenticationManager having authentication logic using Spring Security. To do this, I have to put additional information into the details of Authentication and change the authenticationDetailsSource field of org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter class. But the field is declared as final and forced to use WebAuthenticationDetailsSource class.

I think it may be possible to provide a setter so that a newly defined AuthenticationDetailsSource can be injected from outside, but I am wondering what is forcing it.

Can please you consider providing setter of authenticationDetailsSource field in BearerTokenAuthenticationFilter?

version : spring-security 5.3.2.RELEASE

Comment From: jzheaux

Thanks for the suggestion, @thecodinglog. I think it's reasonable to consider this since other filters also have the same setter.

I'm thinking, though, that adding support for an AuthenticationConverter might make a bit more sense, similar to how things are done with AuthenticationFilter. Then, you could use whatever AuthenticationDetailsSource you want or simply replace the authentication token with one that better suits your needs.

If the code were changed from:

String token;

try {
    token = this.bearerTokenResolver.convert(request);
} catch (OAuth2AuthenticationException invalid) {
    this.authenticationEntryPoint.commence(request, response, invalid);
    return;
}

to:

Authentication token;

try {
    token = this.authenticationConverter.convert(request);
} catch (OAuth2AuthenticationException invalid) {
    this.authenticationEntryPoint.commence(request, response, invalid);
    return;
}

would that allow you to add extra detail that you need?

Comment From: thecodinglog

The method you suggested is much more intuitive and make sense than adding a setter. It also perfectly matches what I want.

What I was trying to do was to use the hashed body, requested url and remote address from Request object for authentication.

Thank you.

Comment From: jzheaux

Great, @thecodinglog. Would you be interested in submitting a PR to add that functionality?

Comment From: thecodinglog

Sure. I will PR soon.