Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

HttpSessionOAuth2AuthorizationRequestRepository removes empty Map from session 

Fixes gh-5263
This commit is contained in:
Joe Grandja 2018-05-02 11:07:26 -04:00
parent 49b63e260d
commit 4cc5705ae5
2 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/HttpSessionOAuth2AuthorizationRequestRepository.java
View File

@ -77,7 +77,11 @@ public final class HttpSessionOAuth2AuthorizationRequestRepository implements Au
}
Map<String, OAuth2AuthorizationRequest> authorizationRequests = this.getAuthorizationRequests(request);
OAuth2AuthorizationRequest originalRequest = authorizationRequests.remove(stateParameter);
request.getSession().setAttribute(this.sessionAttributeName, authorizationRequests);
if (!authorizationRequests.isEmpty()) {
request.getSession().setAttribute(this.sessionAttributeName, authorizationRequests);
} else {
request.getSession().removeAttribute(this.sessionAttributeName);
}
return originalRequest;
}

22
oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/HttpSessionOAuth2AuthorizationRequestRepositoryTests.java
View File

@ -242,6 +242,28 @@ public class HttpSessionOAuth2AuthorizationRequestRepositoryTests {
assertThat(loadedAuthorizationRequest).isNull();
}
// gh-5263
@Test
public void removeAuthorizationRequestWhenSavedThenRemovedFromSession() {
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
OAuth2AuthorizationRequest authorizationRequest = createAuthorizationRequest().build();
this.authorizationRequestRepository.saveAuthorizationRequest(
authorizationRequest, request, response);
request.addParameter(OAuth2ParameterNames.STATE, authorizationRequest.getState());
OAuth2AuthorizationRequest removedAuthorizationRequest =
this.authorizationRequestRepository.removeAuthorizationRequest(request);
String sessionAttributeName = HttpSessionOAuth2AuthorizationRequestRepository.class.getName() +
".AUTHORIZATION_REQUEST";
assertThat(removedAuthorizationRequest).isNotNull();
assertThat(request.getSession().getAttribute(sessionAttributeName)).isNull();
}
@Test
public void removeAuthorizationRequestWhenNotSavedThenNotRemoved() {
MockHttpServletRequest request = new MockHttpServletRequest();