[FIXED] How to add a custom AuthenticationDetailsSource to BearerTokenAuthenticationFilter?

Issue

The BearerTokenAuthenticationFilter uses an AuthenticationDetailsSource to build the details of an authentication request:

authenticationRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));

I am implicitly using the OAuth2ResourceServerConfigurer, provided by spring-security-config-5.7.2, which sadly doesn't consider a developer-defined AuthenticationDetailsSource:

BearerTokenAuthenticationFilter filter = new BearerTokenAuthenticationFilter(resolver);
        filter.setBearerTokenResolver(bearerTokenResolver);
        filter.setAuthenticationEntryPoint(this.authenticationEntryPoint);
        filter = postProcess(filter);
        http.addFilter(filter);

I confirm that the BearerTokenAuthenticationFilter has the setter I need:

setAuthenticationDetailsSource()

But I am unable to find a proper and simple way of using the setter (or any other way) to use a custom AuthenticationDetailsSource for that specific filter. I am trying to avoid creating a new filter or a new configuration.

What I have tried:

1. Went to github to see if there are any new versions - there are none unfortunately.
2. Tried to autowire the spring security filter chain and directly set the AuthenticationDetailsSource for the filter, but with no success so far.

Is there someone who managed to easily set the AuthenticationDetailsSource for a BearerTokenAuthenticationFilter?

Later edit

I have posted this question as a github issue for the Spring Security team: https://github.com/spring-projects/spring-security/issues/11655

According to jzheaux@GitHub and as pointed in the accepted answer, I successfully used an ObjectPostProcessor:

http
.oauth2ResourceServer((oauth2) -> oauth2
    .jwt(withDefaults())
    .withObjectPostProcessor(new ObjectPostProcessor<BearerTokenAuthenticationFilter>() {
        @Override
        public BearerTokenAuthenticationFilter postProcess(BearerTokenAuthenticationFilter object) {
            object.setAuthenticationDetailsSource(myAuthenticationDetailsSource);
            return object;
        }
    });

Solution

To set your own AuthenticationDetailsSource, create ObjectPostProcessor class, where you can use setAuthenticationDetailsSource:

public class MyObjectPostProcessor implements ObjectPostProcessor<BearerTokenAuthenticationFilter> {
    @Override
    public <O extends BearerTokenAuthenticationFilter> O postProcess(O filter) {
        filter.setAuthenticationDetailsSource(new MyAuthenticationDetailsSource());
        return filter;
    }
}

Then you can set MyObjectPostProcessor when creating SecurityFilterChain configuration:

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .oauth2ResourceServer()
                .withObjectPostProcessor(new MyObjectPostProcessor());
        return http.build();
    }
}

Answered By - trpk1
Answer Checked By - Timothy Miller (JavaFixing Admin)