#Spring security failing to convert String to RSA keys

getting the following error: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'securityConfig': Unsatisfied dependency expressed through field 'privateKey': Failed to convert value of type 'java.lang.String' to required type 'java.security.interfaces.RSAPrivateKey'; Failed to convert from type [java.lang.String] to type [@org.springframework.beans.factory.annotation.Value java.security.interfaces.RSAPrivateKey] for value [${jwt.private.key]

not sure what to do and havent been able to find much on this, anyone have any idea? thanks

⌛ This post has been reserved for your question.

Hey @prime birch! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically marked as dormant after 300 minutes of inactivity.

TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.

i have generated both private and public keys and have them in these files under resources

Can you show your SecurityConfig class?

or the class of the securityConfig bean

yea

Instead of injecting an RSAPrivateKey object, you can inject a resource

and then load it

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Value("${jwt.public.key}")
    private RSAPublicKey publicKey;
    @Value("${jwt.private.key")
    private RSAPrivateKey privateKey;

    @Bean
    SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.csrf(csrf -> csrf.disable())
                .authorizeHttpRequests(
                auth -> auth.requestMatchers("/authenticate").permitAll()
                        .requestMatchers(HttpMethod.POST, "/users").permitAll()
                        .anyRequest().authenticated())
                .httpBasic(Customizer.withDefaults())
                .oauth2ResourceServer(
                        conf -> conf.jwt(Customizer.withDefaults()));
        return http.build();
    }

    @Bean
    JwtDecoder jwtDecoder() {
        return NimbusJwtDecoder.withPublicKey(publicKey).build();
    }

    @Bean
    JwtEncoder jwtEncoder() {
        var jwk = new RSAKey.Builder(publicKey).privateKey(privateKey).build();
        var jwks = new ImmutableJWKSet<>(new JWKSet(jwk));
        return new NimbusJwtEncoder(jwks);
    }

    @Bean
    PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

yeah so Value("${jwt.public.key}") doesn't work for RSAPublicKey objects

how come? im pretty sure i have done exactly the same in a previous project

you can probably inject it using a constructor like that:

public SecurityConfig(@Value("${jwt.public.key}") Resource publicKey, @Value("${jwt.private.key") Resource privateKey){
  //TODO convert them
}

oh?

i have seen it in spring security tutorials too

same Spring version?

hmm maybe not but it wasnt too long ago

i'll try this

that's the manual approach

you can also try this: https://stackoverflow.com/a/65745676/10871900

Maybe doing it automatically without any configuration requires some dependency

You are using Spring Boot, right?

yea

<dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>

        <dependency>
            <groupId>org.postgresql</groupId>
            <artifactId>postgresql</artifactId>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

you might need spring-security-rsa or similar, idk

am i missing something?

maybe it only happens automatically if spring-boot-starter-security or similar is in the dependencies

Did you also use Spring Resource Server in the project where it works?

But I would try that

But why can't you use the RSA support of Spring resource server directly?

actually I found it

https://docs.spring.io/spring-security/reference/reactive/oauth2/resource-server/jwt.html#webflux-oauth2resourceserver-jwt-decoder-public-key-boot

that's the documentation of the thing you are using

or if you are using the imperitive thing and not reactive, it's https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-decoder-public-key-builder

@prime birch

or you might also follow that

I think that's actually the thing you need

(it's a bit above in the docs)

@Bean
BeanFactoryPostProcessor conversionServiceCustomizer() {
    return beanFactory ->
        beanFactory.getBean(RsaKeyConversionServicePostProcessor.class)
                .setResourceLoader(new CustomResourceLoader());
}

i'll give it a read

thanks

If you are finished with your post, please close it.
If you are not, please ignore this message.
Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.

that should figure out the part about converting the keys - it just doesn't happen automatically without you telling it to

If this doesn't work like you want to, please check whether you have a RsaKeyConversionServicePostProcessor bean registered in your application

Are you using Eclipse with Spring Tools 4, VSC with Spring Tools 4, any other Spring Tools 4 IDE or IntelliJ Ultimate?

how do i check that?

im using intellij community

ok that doesn't have direct Spring support and doesn't tell you about the registered beans

so you'd need to check in the application

Do you have Spring actuator enabled for testing?

In any way, you can just try autowiring an RsaKeyConversionServicePostProcessor instance and you'll notice it if it doesn't work (unless the application crashes before that, then you wouldn't notice)

btw you might also need the spring-security-oauth2-jose for some JWT stuff (if you want to let Spring do the JWT verification etc): https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-minimaldependencies

essentially the docs should be useful

@modern quiver i think the issue was that i was missing a "}" at the end of the private key here lol

ffs

thanks a lot for the help anyway

If you are finished with your post, please close it.
If you are not, please ignore this message.
Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.

ohhhh

wow