I've created a helper library for internal purposes which abstracts OAuth2 token information for spring boot 2.7 and 3.0. Library is compiled with Java 11.
Fragment of the code.
JwtAuthenticationToken token;
....
{
....
Jwt jwt = token.getToken();
URL issuer = jwt.getIssuer();
...
}
This fails with spring boot 3.0 It looks like spring security v6 and class AbstractOAuth2TokenAuthenticationToken has signature
public abstract class AbstractOAuth2TokenAuthenticationToken<T extends AbstractOAuth2Token>
but spring security 5.7.6 has
public abstract class AbstractOAuth2TokenAuthenticationToken<T extends AbstractOAuth2Token>
above code on token.getToken() throws
java.lang.NoSuchMethodError: 'org.springframework.security.oauth2.core.AbstractOAuth2Token org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken.getToken()'
Comparing bytecode of the org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken gives:
< 1: invokevirtual #7 // Method getToken:()Lorg/springframework/security/oauth2/core/AbstractOAuth2Token;
---
> 1: invokevirtual #28 // Method getToken:()Lorg/springframework/security/oauth2/core/OAuth2Token;
However in both versions Jwt class is defined as
public class Jwt extends AbstractOAuth2Token implements JwtClaimAccessor
This led me to https://github.com/spring-projects/spring-security/issues/10959 and https://github.com/spring-projects/spring-authorization-server/issues/733
Was there any particular reason for this change? How to isolate this so the library can be used in both spring boot 2.7 and 3.0 projects?
Regards Daniel
Comment From: ivenhov
For completeness here are some links which I think describe the problem
https://www.morling.dev/blog/refining-return-type-java-methods-without-breaking-backwards-compatibility/ https://www.reddit.com/r/java/comments/r15jjj/refining_the_return_type_of_java_methods_without/
Comment From: jgrandja
@ivenhov
Was there any particular reason for this change?
AbstractOAuth2Token existed since the beginning of OAuth2 support in 5.0, whereas, OAuth2Token was introduced in 5.5. The reason OAuth2Token was introduced is because of the growing number of new implementations of OAuth2 tokens. The general design preference is to use interface instead of abstract class when being referenced from collaborating components and the plan was to re-factor usages of AbstractOAuth2Token to OAuth2Token. However, we were not able to apply this change in a minor version and therefore needed to wait for a major version, which allows us to make a breaking change as we follow Semantic Versioning.
How to isolate this so the library can be used in both spring boot 2.7 and 3.0 projects?
This is not possible since there are a few breaking changes between Spring Security 5.8 (Spring Boot 2.7) and Spring Security 6.0 (Spring Boot 3.0). See the migration guide on how to migrate from 5.8 to 6.0.