From dfaf251970e1fb555219be4e8e27a5ac7e7f0ac7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A1vid=20Kov=C3=A1=C4=8D?= Date: Sun, 2 Aug 2020 13:16:38 +0200 Subject: [PATCH] Resolve Bearer token after subscribing to publisher Bearer token was resolved immediately after calling method convert. In situations when malformed token was provided or authorization header and access token query param were present in request exception was thrown instead of signalling error. After this change Bearer token is resolved on subscription and invalid states are handled by signaling error to subscriber. Closes gh-8865 --- .../ServerBearerTokenAuthenticationConverter.java | 2 +- ...ServerBearerTokenAuthenticationConverterTests.java | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java index 0c712f0b93..d59c943e6c 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java @@ -53,7 +53,7 @@ public class ServerBearerTokenAuthenticationConverter private String bearerTokenHeaderName = HttpHeaders.AUTHORIZATION; public Mono convert(ServerWebExchange exchange) { - return Mono.justOrEmpty(token(exchange.getRequest())) + return Mono.fromCallable(() -> token(exchange.getRequest())) .map(token -> { if (token.isEmpty()) { BearerTokenError error = invalidTokenError(); diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java index c35c344580..e7932d6f66 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java @@ -142,6 +142,17 @@ public class ServerBearerTokenAuthenticationConverterTests { .hasMessageContaining(("Bearer token is malformed")); } + // gh-8865 + @Test + public void resolveWhenHeaderWithInvalidCharactersIsPresentAndNotSubscribedThenNoneExceptionIsThrown() { + MockServerHttpRequest.BaseBuilder request = MockServerHttpRequest + .get("/") + .header(HttpHeaders.AUTHORIZATION, "Bearer an\"invalid\"token"); + + assertThatCode(() -> this.converter.convert(MockServerWebExchange.from(request))) + .doesNotThrowAnyException(); + } + @Test public void resolveWhenValidHeaderIsPresentTogetherWithQueryParameterThenAuthenticationExceptionIsThrown() { MockServerHttpRequest.BaseBuilder request = MockServerHttpRequest