Allow configuration of oauth2 resource server through nested builder

Issue: gh-5557

Author: eleftherias

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -2108,6 +2108,55 @@ public OAuth2ResourceServerConfigurer<HttpSecurity> oauth2ResourceServer() throw
 		return configurer;
 	}
 
+	/**
+	 * Configures OAuth 2.0 Resource Server support.
+	 *
+	 * <h2>Example Configuration</h2>
+	 *
+	 * The following example demonstrates how to configure a custom JWT authentication converter.
+	 *
+	 * <pre>
+	 * &#064;Configuration
+	 * &#064;EnableWebSecurity
+	 * public class OAuth2ClientSecurityConfig extends WebSecurityConfigurerAdapter {
+	 * 	&#064;Override
+	 * 	protected void configure(HttpSecurity http) throws Exception {
+	 * 		http
+	 * 			.authorizeRequests(authorizeRequests ->
+	 * 				authorizeRequests
+	 * 					.anyRequest().authenticated()
+	 * 			)
+	 * 			.oauth2ResourceServer(oauth2ResourceServer ->
+	 * 				oauth2ResourceServer
+	 * 					.jwt(jwt ->
+	 * 						jwt
+	 * 							.jwtAuthenticationConverter(jwtDecoder())
+	 * 					)
+	 * 			);
+	 *	}
+	 *
+	 * 	&#064;Bean
+	 * 	public JwtDecoder jwtDecoder() {
+	 * 		return JwtDecoders.fromOidcIssuerLocation(issuerUri);
+	 * 	}
+	 * }
+	 * </pre>
+	 *
+	 * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-1.1">OAuth 2.0 Authorization Framework</a>
+	 *
+	 * @param oauth2ResourceServerCustomizer the {@link Customizer} to provide more options for
+	 * the {@link OAuth2ResourceServerConfigurer}
+	 * @return the {@link HttpSecurity} for further customizations
+	 * @throws Exception
+	 */
+	public HttpSecurity oauth2ResourceServer(Customizer<OAuth2ResourceServerConfigurer<HttpSecurity>> oauth2ResourceServerCustomizer)
+			throws Exception {
+		OAuth2ResourceServerConfigurer<HttpSecurity> configurer = getOrApply(new OAuth2ResourceServerConfigurer<>(getContext()));
+		this.postProcess(configurer);
+		oauth2ResourceServerCustomizer.customize(configurer);
+		return HttpSecurity.this;
+	}
+
 	/**
 	 * Configures channel security. In order for this configuration to be useful at least
 	 * one mapping to a required channel must be provided.

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java

@@ -25,6 +25,7 @@
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationManagerResolver;
 import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
@@ -65,11 +66,12 @@
  * <li>{@link #accessDeniedHandler(AccessDeniedHandler)}</li> - customizes how access denied errors are handled
  * <li>{@link #authenticationEntryPoint(AuthenticationEntryPoint)}</li> - customizes how authentication failures are handled
  * <li>{@link #bearerTokenResolver(BearerTokenResolver)} - customizes how to resolve a bearer token from the request</li>
- * <li>{@link #jwt()} - enables Jwt-encoded bearer token support</li>
+ * <li>{@link #jwt(Customizer)} - enables Jwt-encoded bearer token support</li>
+ * <li>{@link #opaqueToken(Customizer)} - enables opaque bearer token support</li>
  * </ul>
  *
  * <p>
- * When using {@link #jwt()}, either
+ * When using {@link #jwt(Customizer)}, either
  *
  * <ul>
  * <li>
@@ -83,7 +85,7 @@
  * </li>
  * </ul>
  *
- * Also with {@link #jwt()} consider
+ * Also with {@link #jwt(Customizer)} consider
  *
  * <ul>
  * <li>
@@ -93,12 +95,12 @@
  * </ul>
  *
  * <p>
- * When using {@link #opaque()}, supply an introspection endpoint and its authentication configuration
+ * When using {@link #opaqueToken(Customizer)}, supply an introspection endpoint and its authentication configuration
  * </p>
  *
  * <h2>Security Filters</h2>
  *
- * The following {@code Filter}s are populated when {@link #jwt()} is configured:
+ * The following {@code Filter}s are populated when {@link #jwt(Customizer)} is configured:
  *
  * <ul>
  * <li>{@link BearerTokenAuthenticationFilter}</li>
@@ -180,6 +182,22 @@ public JwtConfigurer jwt() {
 		return this.jwtConfigurer;
 	}
 
+	/**
+	 * Enables Jwt-encoded bearer token support.
+	 *
+	 * @param jwtCustomizer the {@link Customizer} to provide more options for
+	 * the {@link JwtConfigurer}
+	 * @return the {@link OAuth2ResourceServerConfigurer} for further customizations
+	 * @throws Exception
+	 */
+	public OAuth2ResourceServerConfigurer<H> jwt(Customizer<JwtConfigurer> jwtCustomizer) throws Exception {
+		if ( this.jwtConfigurer == null ) {
+			this.jwtConfigurer = new JwtConfigurer(this.context);
+		}
+		jwtCustomizer.customize(this.jwtConfigurer);
+		return this;
+	}
+
 	public OpaqueTokenConfigurer opaqueToken() {
 		if (this.opaqueTokenConfigurer == null) {
 			this.opaqueTokenConfigurer = new OpaqueTokenConfigurer(this.context);
@@ -188,6 +206,23 @@ public OpaqueTokenConfigurer opaqueToken() {
 		return this.opaqueTokenConfigurer;
 	}
 
+	/**
+	 * Enables opaque bearer token support.
+	 *
+	 * @param opaqueTokenCustomizer the {@link Customizer} to provide more options for
+	 * the {@link OpaqueTokenConfigurer}
+	 * @return the {@link OAuth2ResourceServerConfigurer} for further customizations
+	 * @throws Exception
+	 */
+	public OAuth2ResourceServerConfigurer<H> opaqueToken(Customizer<OpaqueTokenConfigurer> opaqueTokenCustomizer)
+			throws Exception {
+		if (this.opaqueTokenConfigurer == null) {
+			this.opaqueTokenConfigurer = new OpaqueTokenConfigurer(this.context);
+		}
+		opaqueTokenCustomizer.customize(this.opaqueTokenConfigurer);
+		return this;
+	}
+
 	@Override
 	public void init(H http) throws Exception {
 		registerDefaultAccessDeniedHandler(http);