GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Fix OAuth2AuthorizationRequestRedirectWebFilter baseurl exclude querystring 

To create redirect_uri in OAuth2AuthorizationRequestRedirectWebFilter,
queryParam is included in the current request-based baseUrl.
So when binding to the redirectUriTemplate,
the wrong type of redirect_uri may be created.

Fixed: gh-5520
pull/5559/merge
mhyeon.lee 8 years ago committed by Joe Grandja
parent
195a6943e2
commit
ba29b363fc
2 changed files with 21 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilter.java
  2. 20
      oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilterTests.java

1
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilter.java
Unescape View File

@ -199,6 +199,7 @@ public class OAuth2AuthorizationRequestRedirectWebFilter implements WebFilter { @@ -199,6 +199,7 @@ public class OAuth2AuthorizationRequestRedirectWebFilter implements WebFilter {
String baseUrl = UriComponentsBuilder.fromHttpRequest(new ServerHttpRequestDecorator(request))
.replacePath(request.getPath().contextPath().value())
.replaceQuery(null)
.build()
.toUriString();
uriVariables.put("baseUrl", baseUrl);

20
oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilterTests.java
Unescape View File

@ -135,6 +135,26 @@ public class OAuth2AuthorizationRequestRedirectWebFilterTests { @@ -135,6 +135,26 @@ public class OAuth2AuthorizationRequestRedirectWebFilterTests {
verify(this.authzRequestRepository).saveAuthorizationRequest(any(), any());
}
// gh-5520
@Test
public void filterWhenDoesMatchThenResolveRedirectUriExpandedExcludesQueryString() {
FluxExchangeResult<String> result = this.client.get()
.uri("https://example.com/oauth2/authorization/github?foo=bar").exchange()
.expectStatus().is3xxRedirection().returnResult(String.class);
result.assertWithDiagnostics(() -> {
URI location = result.getResponseHeaders().getLocation();
assertThat(location)
.hasScheme("https")
.hasHost("github.com")
.hasPath("/login/oauth/authorize")
.hasParameter("response_type", "code")
.hasParameter("client_id", "clientId")
.hasParameter("scope", "read:user")
.hasParameter("state")
.hasParameter("redirect_uri", "https://example.com/login/oauth2/code/github");
});
}
@Test
public void filterWhenExceptionThenRedirected() {
FilteringWebHandler webHandler = new FilteringWebHandler(e -> Mono.error(new ClientAuthorizationRequiredException(this.github.getRegistrationId())), Arrays.asList(this.filter));

Write Preview
Loading…
Cancel
Save