From e0a71eb00e3a4351f75a8403a8809bb160c31114 Mon Sep 17 00:00:00 2001 From: Marcus Hert da Coregio Date: Sat, 18 Oct 2025 13:13:50 -0300 Subject: [PATCH 1/2] Fix GenerateOneTimeTokenRequestResolver ignored if username param not present Signed-off-by: Marcus Hert da Coregio --- .../ott/GenerateOneTimeTokenFilter.java | 6 ------ .../ott/GenerateOneTimeTokenFilterTests.java | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java b/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java index b53c31dd18..0eefd98a89 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java @@ -30,7 +30,6 @@ import org.springframework.security.authentication.ott.OneTimeTokenService; import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; -import org.springframework.util.StringUtils; import org.springframework.web.filter.OncePerRequestFilter; /** @@ -68,11 +67,6 @@ public final class GenerateOneTimeTokenFilter extends OncePerRequestFilter { filterChain.doFilter(request, response); return; } - String username = request.getParameter("username"); - if (!StringUtils.hasText(username)) { - filterChain.doFilter(request, response); - return; - } GenerateOneTimeTokenRequest generateRequest = this.requestResolver.resolve(request); OneTimeToken ott = this.tokenService.generate(generateRequest); if (generateRequest == null) { diff --git a/web/src/test/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilterTests.java index 4b639937c5..6d99045809 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilterTests.java @@ -113,4 +113,22 @@ public class GenerateOneTimeTokenFilterTests { // @formatter:on } + @Test + void filterWhenUsernameFormParamIsEmptyButRequestResolverCanResolveThenSuccess() + throws ServletException, IOException { + GenerateOneTimeTokenRequestResolver requestResolver = mock(); + given(this.oneTimeTokenService.generate(ArgumentMatchers.any(GenerateOneTimeTokenRequest.class))) + .willReturn((new DefaultOneTimeToken(TOKEN, USERNAME, Instant.now()))); + given(requestResolver.resolve(this.request)).willReturn(new GenerateOneTimeTokenRequest(USERNAME)); + + GenerateOneTimeTokenFilter filter = new GenerateOneTimeTokenFilter(this.oneTimeTokenService, + this.successHandler); + filter.setRequestResolver(requestResolver); + + filter.doFilter(this.request, this.response, this.filterChain); + + verify(this.oneTimeTokenService).generate(ArgumentMatchers.any(GenerateOneTimeTokenRequest.class)); + assertThat(this.response.getRedirectedUrl()).isEqualTo("/login/ott"); + } + } From 1c112005fa4e1b4da8ba03f2d301f5647ac39720 Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Mon, 20 Oct 2025 11:58:57 -0600 Subject: [PATCH 2/2] Don't Attempt to Generate Token Without Valid Token Request Closes gh-18088 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com> --- .../web/authentication/ott/GenerateOneTimeTokenFilter.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java b/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java index 0eefd98a89..6f4788f1fe 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java @@ -68,11 +68,11 @@ public final class GenerateOneTimeTokenFilter extends OncePerRequestFilter { return; } GenerateOneTimeTokenRequest generateRequest = this.requestResolver.resolve(request); - OneTimeToken ott = this.tokenService.generate(generateRequest); if (generateRequest == null) { filterChain.doFilter(request, response); return; } + OneTimeToken ott = this.tokenService.generate(generateRequest); this.tokenGenerationSuccessHandler.handle(request, response, ott); }