Fix oauth2login loginProcessingUrl NPE for java config

Java Config http.oauth2Login().loginProcessingUrl("url"); throws NPE. Override loginProcessingUrl method and cached config url. Then when the config is initialized, it calls the super method to complete the configuration. Fixes gh-5488
2018-07-06 18:35:16 +09:00 · 2018-07-06 18:35:16 +09:00 · 2af69f08a9
parent 522bfe9e05
commit 2af69f08a9
2 changed files with 52 additions and 3 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -124,6 +124,7 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
 	private final RedirectionEndpointConfig redirectionEndpointConfig = new RedirectionEndpointConfig();
 	private final UserInfoEndpointConfig userInfoEndpointConfig = new UserInfoEndpointConfig();
 	private String loginPage;
+	private String loginProcessingUrl = OAuth2LoginAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI;

 	/**
 	 * Sets the repository of client registrations.
@ -156,6 +157,13 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
 		return this;
 	}

+	@Override
+	public OAuth2LoginConfigurer<B> loginProcessingUrl(String loginProcessingUrl) {
+		Assert.hasText(loginProcessingUrl, "loginProcessingUrl cannot be empty");
+		this.loginProcessingUrl = loginProcessingUrl;
+		return this;
+	}
+
 	/**
 	 * Returns the {@link AuthorizationEndpointConfig} for configuring the Authorization Server's Authorization Endpoint.
 	 *
@ -378,9 +386,9 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
 			new OAuth2LoginAuthenticationFilter(
 				OAuth2ClientConfigurerUtils.getClientRegistrationRepository(this.getBuilder()),
 				OAuth2ClientConfigurerUtils.getAuthorizedClientService(this.getBuilder()),
-				OAuth2LoginAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI);
+				this.loginProcessingUrl);
 		this.setAuthenticationFilter(authenticationFilter);
-		this.loginProcessingUrl(OAuth2LoginAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI);
+		super.loginProcessingUrl(this.loginProcessingUrl);
 		if (this.loginPage != null) {
 			super.loginPage(this.loginPage);
 		}
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java
@ -197,6 +197,34 @@ public class OAuth2LoginConfigurerTests {
 		assertThat(authentication.getAuthorities()).last().hasToString("ROLE_OAUTH2_USER");
 	}

+	// gh-5488
+	@Test
+	public void oauth2LoginConfigLoginProcessingUrl() throws Exception {
+		// setup application context
+		loadConfig(OAuth2LoginConfigLoginProcessingUrl.class);
+
+		// setup authorization request
+		OAuth2AuthorizationRequest authorizationRequest = createOAuth2AuthorizationRequest();
+		this.request.setServletPath("/login/oauth2/google");
+		this.authorizationRequestRepository.saveAuthorizationRequest(
+				authorizationRequest, this.request, this.response);
+
+		// setup authentication parameters
+		this.request.setParameter("code", "code123");
+		this.request.setParameter("state", authorizationRequest.getState());
+
+		// perform test
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.filterChain);
+
+		// assertions
+		Authentication authentication = this.securityContextRepository
+				.loadContext(new HttpRequestResponseHolder(this.request, this.response))
+				.getAuthentication();
+		assertThat(authentication.getAuthorities()).hasSize(1);
+		assertThat(authentication.getAuthorities()).first()
+				.isInstanceOf(OAuth2UserAuthority.class).hasToString("ROLE_USER");
+	}
+
 	@Test
 	public void oidcLogin() throws Exception {
 		// setup application context
@ -365,6 +393,19 @@ public class OAuth2LoginConfigurerTests {
 		}
 	}

+	@EnableWebSecurity
+	static class OAuth2LoginConfigLoginProcessingUrl extends CommonWebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			http
+				.oauth2Login()
+					.clientRegistrationRepository(
+						new InMemoryClientRegistrationRepository(CLIENT_REGISTRATION))
+					.loginProcessingUrl("/login/oauth2/*");
+			super.configure(http);
+		}
+	}
+
 	private static abstract class CommonWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {