Polish OAuth2AuthorizationServerSecurity

Issue gh-91
6 years ago · 847814b322
3 changed files with 13 additions and 8 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2AuthorizationServerSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2AuthorizationServerSecurity.java
@ -15,8 +15,12 @@
				@@ -15,8 +15,12 @@
 */
 package org.springframework.security.config.annotation.web.configuration;

+import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer;
+import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;

 import static org.springframework.security.config.Customizer.withDefaults;

@ -37,8 +41,14 @@ public class OAuth2AuthorizationServerSecurity extends WebSecurityConfigurerAdap
				@@ -37,8 +41,14 @@ public class OAuth2AuthorizationServerSecurity extends WebSecurityConfigurerAdap
 						.anyRequest().authenticated()
 			)
 			.formLogin(withDefaults())
+			.csrf(csrf -> csrf.ignoringRequestMatchers(tokenEndpointMatcher()))
 			.apply(new OAuth2AuthorizationServerConfigurer<>());
 	}
 	// @formatter:on

+	private static RequestMatcher tokenEndpointMatcher() {
+		return new AntPathRequestMatcher(
+				OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI,
+				HttpMethod.POST.name());
+	}
 }
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java
@ -61,7 +61,6 @@ import static org.mockito.Mockito.reset;
				@@ -61,7 +61,6 @@ import static org.mockito.Mockito.reset;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.when;
-import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
@ -150,8 +149,7 @@ public class OAuth2AuthorizationCodeGrantTests {
				@@ -150,8 +149,7 @@ public class OAuth2AuthorizationCodeGrantTests {
 		this.mvc.perform(MockMvcRequestBuilders.post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
 				.params(getTokenRequestParameters(registeredClient, authorization))
 				.header(HttpHeaders.AUTHORIZATION, "Basic " + encodeBasicAuth(
-						registeredClient.getClientId(), registeredClient.getClientSecret()))
-				.with(csrf()))
+						registeredClient.getClientId(), registeredClient.getClientSecret())))
 				.andExpect(status().isOk())
 				.andExpect(header().string(HttpHeaders.CACHE_CONTROL, containsString("no-store")))
 				.andExpect(header().string(HttpHeaders.PRAGMA, containsString("no-cache")));
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java
@ -49,7 +49,6 @@ import static org.mockito.Mockito.reset;
				@@ -49,7 +49,6 @@ import static org.mockito.Mockito.reset;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.when;
-import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -88,8 +87,7 @@ public class OAuth2ClientCredentialsGrantTests {
				@@ -88,8 +87,7 @@ public class OAuth2ClientCredentialsGrantTests {
 		this.spring.register(AuthorizationServerConfiguration.class).autowire();

 		this.mvc.perform(MockMvcRequestBuilders.post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
-				.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
-				.with(csrf()))
+				.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue()))
 				.andExpect(status().isUnauthorized());

 		verifyNoInteractions(registeredClientRepository);
@ -108,8 +106,7 @@ public class OAuth2ClientCredentialsGrantTests {
				@@ -108,8 +106,7 @@ public class OAuth2ClientCredentialsGrantTests {
 				.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
 				.param(OAuth2ParameterNames.SCOPE, "scope1 scope2")
 				.header(HttpHeaders.AUTHORIZATION, "Basic " + encodeBasicAuth(
-						registeredClient.getClientId(), registeredClient.getClientSecret()))
-				.with(csrf()))
+						registeredClient.getClientId(), registeredClient.getClientSecret())))
 				.andExpect(status().isOk())
 				.andExpect(jsonPath("$.access_token").isNotEmpty())
 				.andExpect(jsonPath("$.scope").value("scope1 scope2"));