Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Avoid Exception Message in HTTP Response 

Fixes gh-4587
This commit is contained in:
Rob Winch 2017-09-28 16:32:38 -05:00
parent 1c9b627267
commit 646b3e48b3
6 changed files with 17 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationCodeRequestRedirectFilter.java
View File

@ -15,6 +15,7 @@
*/ */
package org.springframework.security.oauth2.client.web; package org.springframework.security.oauth2.client.web;
import org.springframework.http.HttpStatus;
import org.springframework.security.crypto.keygen.StringKeyGenerator; import org.springframework.security.crypto.keygen.StringKeyGenerator;
import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
@ -148,7 +149,7 @@ public class AuthorizationCodeRequestRedirectFilter extends OncePerRequestFilter
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
logger.debug("Authorization Request failed: " + failed.toString(), failed); logger.debug("Authorization Request failed: " + failed.toString(), failed);
} }
response.sendError(HttpServletResponse.SC_BAD_REQUEST, failed.getMessage()); response.sendError(HttpStatus.BAD_REQUEST.value(), HttpStatus.BAD_REQUEST.getReasonPhrase());
} }
private String expandRedirectUri(HttpServletRequest request, ClientRegistration clientRegistration) { private String expandRedirectUri(HttpServletRequest request, ClientRegistration clientRegistration) {

7
web/src/main/java/org/springframework/security/web/access/AccessDeniedHandlerImpl.java
View File

@ -25,6 +25,7 @@ import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.WebAttributes; import org.springframework.security.web.WebAttributes;
@ -65,15 +66,15 @@ public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
accessDeniedException); accessDeniedException);
// Set the 403 status code. // Set the 403 status code.
response.setStatus(HttpServletResponse.SC_FORBIDDEN); response.setStatus(HttpStatus.FORBIDDEN.value());
// forward to error page. // forward to error page.
RequestDispatcher dispatcher = request.getRequestDispatcher(errorPage); RequestDispatcher dispatcher = request.getRequestDispatcher(errorPage);
dispatcher.forward(request, response); dispatcher.forward(request, response);
} }
else { else {
response.sendError(HttpServletResponse.SC_FORBIDDEN, response.sendError(HttpStatus.FORBIDDEN.value(),
accessDeniedException.getMessage()); HttpStatus.FORBIDDEN.getReasonPhrase());
} }
} }
} }

5
web/src/main/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandler.java
View File

@ -24,6 +24,7 @@ import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.WebAttributes; import org.springframework.security.web.WebAttributes;
import org.springframework.security.web.DefaultRedirectStrategy; import org.springframework.security.web.DefaultRedirectStrategy;
@ -74,8 +75,8 @@ public class SimpleUrlAuthenticationFailureHandler implements
if (defaultFailureUrl == null) { if (defaultFailureUrl == null) {
logger.debug("No failure URL set, sending 401 Unauthorized error"); logger.debug("No failure URL set, sending 401 Unauthorized error");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, response.sendError(HttpStatus.UNAUTHORIZED.value(),
"Authentication Failed: " + exception.getMessage()); HttpStatus.UNAUTHORIZED.getReasonPhrase());
} }
else { else {
saveException(request, exception); saveException(request, exception);

4
web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPoint.java
View File

@ -22,6 +22,7 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.beans.factory.InitializingBean; import org.springframework.beans.factory.InitializingBean;
@ -57,8 +58,7 @@ public class BasicAuthenticationEntryPoint implements AuthenticationEntryPoint,
public void commence(HttpServletRequest request, HttpServletResponse response, public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) throws IOException, ServletException { AuthenticationException authException) throws IOException, ServletException {
response.addHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\""); response.addHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\"");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
authException.getMessage());
} }
public String getRealmName() { public String getRealmName() {

5
web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationEntryPoint.java
View File

@ -27,6 +27,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean; import org.springframework.beans.factory.InitializingBean;
import org.springframework.core.Ordered; import org.springframework.core.Ordered;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.AuthenticationEntryPoint;
@ -109,8 +110,8 @@ public class DigestAuthenticationEntryPoint implements AuthenticationEntryPoint,
} }
httpResponse.addHeader("WWW-Authenticate", authenticateHeader); httpResponse.addHeader("WWW-Authenticate", authenticateHeader);
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, httpResponse.sendError(HttpStatus.UNAUTHORIZED.value(),
authException.getMessage()); HttpStatus.UNAUTHORIZED.getReasonPhrase());
} }
public String getKey() { public String getKey() {

6
web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPointTests.java
View File

@ -18,6 +18,7 @@ package org.springframework.security.web.authentication.www;
import org.junit.Test; import org.junit.Test;
import org.springframework.http.HttpStatus;
import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.DisabledException; import org.springframework.security.authentication.DisabledException;
@ -65,11 +66,10 @@ public class BasicAuthenticationEntryPointTests {
// ep.afterPropertiesSet(); // ep.afterPropertiesSet();
String msg = "These are the jokes kid"; ep.commence(request, response, new DisabledException("These are the jokes kid"));
ep.commence(request, response, new DisabledException(msg));
assertThat(response.getStatus()).isEqualTo(401); assertThat(response.getStatus()).isEqualTo(401);
assertThat(response.getErrorMessage()).isEqualTo(msg); assertThat(response.getErrorMessage()).isEqualTo(HttpStatus.UNAUTHORIZED.getReasonPhrase());
assertThat(response.getHeader("WWW-Authenticate")) assertThat(response.getHeader("WWW-Authenticate"))
.isEqualTo("Basic realm=\"hello\""); .isEqualTo("Basic realm=\"hello\"");