From 9fe8949883a74158b94114458128e7fbb01e7959 Mon Sep 17 00:00:00 2001 From: Florian Aumeier Date: Wed, 29 May 2019 11:50:22 +0200 Subject: [PATCH] Add @transient to OAuth2IntrospectionAuthenticationToken fixes gh-6829 --- .../OAuth2ResourceServerConfigurerTests.java | 16 ++++++++++++++++ .../OAuth2IntrospectionAuthenticationToken.java | 2 ++ 2 files changed, 18 insertions(+) diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java index dcedddf93f..0877ec3310 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java @@ -564,6 +564,22 @@ public class OAuth2ResourceServerConfigurerTests { assertThat(result.getRequest().getSession(false)).isNull(); } + @Test + public void requestWhenIntrospectionConfiguredThenSessionIsNotCreated() + throws Exception { + + this.spring.register(RestOperationsConfig.class, OpaqueTokenConfig.class, BasicController.class).autowire(); + mockRestOperations(json("Active")); + + MvcResult result = this.mvc.perform(get("/authenticated") + .with(bearerToken("token"))) + .andExpect(status().isOk()) + .andExpect(content().string("test-subject")) + .andReturn(); + + assertThat(result.getRequest().getSession(false)).isNull(); + } + @Test public void requestWhenUsingDefaultsAndNoBearerTokenThenSessionIsCreated() throws Exception { diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationToken.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationToken.java index 252410a364..72f2f96fa6 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationToken.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationToken.java @@ -22,6 +22,7 @@ import java.util.Map; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.SpringSecurityCoreVersion; +import org.springframework.security.core.Transient; import org.springframework.security.oauth2.core.OAuth2AccessToken; import org.springframework.util.Assert; @@ -36,6 +37,7 @@ import static org.springframework.security.oauth2.server.resource.introspection. * @author Josh Cummings * @since 5.2 */ +@Transient public class OAuth2IntrospectionAuthenticationToken extends AbstractOAuth2TokenAuthenticationToken {