Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Polish Bearer Token Padding 

Issue gh-8502
This commit is contained in:
Josh Cummings 2020-07-15 18:12:53 -06:00
parent 09e154d8f2
commit 9045636a4b
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
4 changed files with 21 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java
View File

@ -38,7 +38,7 @@ import static org.springframework.security.oauth2.server.resource.BearerTokenErr
public final class DefaultBearerTokenResolver implements BearerTokenResolver { public final class DefaultBearerTokenResolver implements BearerTokenResolver {
private static final Pattern authorizationPattern = Pattern.compile( private static final Pattern authorizationPattern = Pattern.compile(
"^Bearer (?<token>[a-zA-Z0-9-._~+/]+)=*$", "^Bearer (?<token>[a-zA-Z0-9-._~+/]+=*)$",
Pattern.CASE_INSENSITIVE); Pattern.CASE_INSENSITIVE);
private boolean allowFormEncodedBodyParameter = false; private boolean allowFormEncodedBodyParameter = false;
@ -95,7 +95,7 @@ public final class DefaultBearerTokenResolver implements BearerTokenResolver {
throw new OAuth2AuthenticationException(error); throw new OAuth2AuthenticationException(error);
} }
return authorization.substring(7); return matcher.group("token");
} }
return null; return null;
} }

2
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java
View File

@ -46,7 +46,7 @@ import static org.springframework.security.oauth2.server.resource.BearerTokenErr
public class ServerBearerTokenAuthenticationConverter public class ServerBearerTokenAuthenticationConverter
implements ServerAuthenticationConverter { implements ServerAuthenticationConverter {
private static final Pattern authorizationPattern = Pattern.compile( private static final Pattern authorizationPattern = Pattern.compile(
"^Bearer (?<token>[a-zA-Z0-9-._~+/]+)=*$", "^Bearer (?<token>[a-zA-Z0-9-._~+/]+=*)$",
Pattern.CASE_INSENSITIVE); Pattern.CASE_INSENSITIVE);
private boolean allowUriQueryParameter = false; private boolean allowUriQueryParameter = false;

14
oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2018 the original author or authors. * Copyright 2002-2020 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -51,17 +51,9 @@ public class DefaultBearerTokenResolverTests {
assertThat(this.resolver.resolve(request)).isEqualTo(TEST_TOKEN); assertThat(this.resolver.resolve(request)).isEqualTo(TEST_TOKEN);
} }
// gh-8502
@Test @Test
public void resolveWhenValidHeaderIsPresentWithSingleBytePaddingIndicatorThenTokenIsResolved() { public void resolveWhenHeaderEndsWithPaddingIndicatorThenTokenIsResolved() {
String token = TEST_TOKEN + "=";
MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader("Authorization", "Bearer " + token);
assertThat(this.resolver.resolve(request)).isEqualTo(token);
}
@Test
public void resolveWhenValidHeaderIsPresentWithTwoBytesPaddingIndicatorThenTokenIsResolved() {
String token = TEST_TOKEN + "=="; String token = TEST_TOKEN + "==";
MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader("Authorization", "Bearer " + token); request.addHeader("Authorization", "Bearer " + token);

18
oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2018 the original author or authors. * Copyright 2002-2020 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -16,8 +16,11 @@
package org.springframework.security.oauth2.server.resource.web.server; package org.springframework.security.oauth2.server.resource.web.server;
import java.util.Base64;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.springframework.http.HttpHeaders; import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest; import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
@ -27,8 +30,6 @@ import org.springframework.security.oauth2.server.resource.BearerTokenAuthentica
import org.springframework.security.oauth2.server.resource.BearerTokenError; import org.springframework.security.oauth2.server.resource.BearerTokenError;
import org.springframework.security.oauth2.server.resource.BearerTokenErrorCodes; import org.springframework.security.oauth2.server.resource.BearerTokenErrorCodes;
import java.util.Base64;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatCode; import static org.assertj.core.api.Assertions.assertThatCode;
import static org.assertj.core.api.Assertions.catchThrowableOfType; import static org.assertj.core.api.Assertions.catchThrowableOfType;
@ -56,6 +57,17 @@ public class ServerBearerTokenAuthenticationConverterTests {
assertThat(convertToToken(request).getToken()).isEqualTo(TEST_TOKEN); assertThat(convertToToken(request).getToken()).isEqualTo(TEST_TOKEN);
} }
// gh-8502
@Test
public void resolveWhenHeaderEndsWithPaddingIndicatorThenTokenIsResolved() {
String token = TEST_TOKEN + "==";
MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest
.get("/")
.header(HttpHeaders.AUTHORIZATION, "Bearer " + token);
assertThat(convertToToken(request).getToken()).isEqualTo(token);
}
// gh-7011 // gh-7011
@Test @Test
public void resolveWhenValidHeaderIsEmptyStringThenTokenIsResolved() { public void resolveWhenValidHeaderIsEmptyStringThenTokenIsResolved() {