Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Catch Malformed BearerTokenError Descriptions 

Fixes gh-7549
This commit is contained in:
Josh Cummings 2019-10-28 12:30:27 -06:00
parent 0ac5f5456f
commit 387f765595
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
2 changed files with 27 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtReactiveAuthenticationManager.java
View File

@ -40,10 +40,13 @@ import org.springframework.util.Assert;
* @since 5.1 * @since 5.1
*/ */
public final class JwtReactiveAuthenticationManager implements ReactiveAuthenticationManager { public final class JwtReactiveAuthenticationManager implements ReactiveAuthenticationManager {
private final ReactiveJwtDecoder jwtDecoder;
private Converter<Jwt, ? extends Mono<? extends AbstractAuthenticationToken>> jwtAuthenticationConverter private Converter<Jwt, ? extends Mono<? extends AbstractAuthenticationToken>> jwtAuthenticationConverter
= new ReactiveJwtAuthenticationConverterAdapter(new JwtAuthenticationConverter()); = new ReactiveJwtAuthenticationConverterAdapter(new JwtAuthenticationConverter());
private final ReactiveJwtDecoder jwtDecoder; private static final OAuth2Error DEFAULT_INVALID_TOKEN =
invalidToken("An error occurred while attempting to decode the Jwt: Invalid token");
public JwtReactiveAuthenticationManager(ReactiveJwtDecoder jwtDecoder) { public JwtReactiveAuthenticationManager(ReactiveJwtDecoder jwtDecoder) {
Assert.notNull(jwtDecoder, "jwtDecoder cannot be null"); Assert.notNull(jwtDecoder, "jwtDecoder cannot be null");
@ -80,10 +83,15 @@ public final class JwtReactiveAuthenticationManager implements ReactiveAuthentic
} }
private static OAuth2Error invalidToken(String message) { private static OAuth2Error invalidToken(String message) {
return new BearerTokenError( try {
BearerTokenErrorCodes.INVALID_TOKEN, return new BearerTokenError(
HttpStatus.UNAUTHORIZED, BearerTokenErrorCodes.INVALID_TOKEN,
message, HttpStatus.UNAUTHORIZED,
"https://tools.ietf.org/html/rfc6750#section-3.1"); message,
"https://tools.ietf.org/html/rfc6750#section-3.1");
} catch (IllegalArgumentException malformed) {
// some third-party library error messages are not suitable for RFC 6750's error message charset
return DEFAULT_INVALID_TOKEN;
}
} }
} }

13
oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtReactiveAuthenticationManagerTests.java
View File

@ -88,6 +88,19 @@ public class JwtReactiveAuthenticationManagerTests {
.isInstanceOf(OAuth2AuthenticationException.class); .isInstanceOf(OAuth2AuthenticationException.class);
} }
// gh-7549
@Test
public void authenticateWhenDecoderThrowsIncompatibleErrorMessageThenWrapsWithGenericOne() {
BearerTokenAuthenticationToken token = new BearerTokenAuthenticationToken("token-1");
when(this.jwtDecoder.decode(token.getToken())).thenThrow(new JwtException("with \"invalid\" chars"));
assertThatCode(() -> this.manager.authenticate(token).block())
.isInstanceOf(OAuth2AuthenticationException.class)
.hasFieldOrPropertyWithValue(
"error.description",
"An error occurred while attempting to decode the Jwt: Invalid token");
}
@Test @Test
public void authenticateWhenNotJwtExceptionThenPropagates() { public void authenticateWhenNotJwtExceptionThenPropagates() {
BearerTokenAuthenticationToken token = new BearerTokenAuthenticationToken("token-1"); BearerTokenAuthenticationToken token = new BearerTokenAuthenticationToken("token-1");