Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 09:12:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix OAuth2AuthorizationRequestRedirectWebFilter baseurl exclude querystring

Browse Source 
To create redirect_uri in OAuth2AuthorizationRequestRedirectWebFilter,
queryParam is included in the current request-based baseUrl.
So when binding to the redirectUriTemplate,
the wrong type of redirect_uri may be created.

Fixed: gh-5520
This commit is contained in:
mhyeon.lee 2018-07-23 10:47:23 +09:00 committed by Joe Grandja
parent 195a6943e2
commit ba29b363fc
2 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilter.java
View File

@ -199,6 +199,7 @@ public class OAuth2AuthorizationRequestRedirectWebFilter implements WebFilter {
String baseUrl = UriComponentsBuilder.fromHttpRequest(new ServerHttpRequestDecorator(request)) String baseUrl = UriComponentsBuilder.fromHttpRequest(new ServerHttpRequestDecorator(request))
.replacePath(request.getPath().contextPath().value()) .replacePath(request.getPath().contextPath().value())
.replaceQuery(null)
.build() .build()
.toUriString(); .toUriString();
uriVariables.put("baseUrl", baseUrl); uriVariables.put("baseUrl", baseUrl);

20
oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilterTests.java
View File

@ -135,6 +135,26 @@ public class OAuth2AuthorizationRequestRedirectWebFilterTests {
verify(this.authzRequestRepository).saveAuthorizationRequest(any(), any()); verify(this.authzRequestRepository).saveAuthorizationRequest(any(), any());
} }
// gh-5520
@Test
public void filterWhenDoesMatchThenResolveRedirectUriExpandedExcludesQueryString() {
FluxExchangeResult<String> result = this.client.get()
.uri("https://example.com/oauth2/authorization/github?foo=bar").exchange()
.expectStatus().is3xxRedirection().returnResult(String.class);
result.assertWithDiagnostics(() -> {
URI location = result.getResponseHeaders().getLocation();
assertThat(location)
.hasScheme("https")
.hasHost("github.com")
.hasPath("/login/oauth/authorize")
.hasParameter("response_type", "code")
.hasParameter("client_id", "clientId")
.hasParameter("scope", "read:user")
.hasParameter("state")
.hasParameter("redirect_uri", "https://example.com/login/oauth2/code/github");
});
}
@Test @Test
public void filterWhenExceptionThenRedirected() { public void filterWhenExceptionThenRedirected() {
FilteringWebHandler webHandler = new FilteringWebHandler(e -> Mono.error(new ClientAuthorizationRequiredException(this.github.getRegistrationId())), Arrays.asList(this.filter)); FilteringWebHandler webHandler = new FilteringWebHandler(e -> Mono.error(new ClientAuthorizationRequiredException(this.github.getRegistrationId())), Arrays.asList(this.filter));