From ca272e42678373b7d35fa97994446761b46a74e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A1vid=20Kov=C3=A1=C4=8D?= Date: Sun, 2 Aug 2020 13:16:38 +0200 Subject: [PATCH] Resolve Bearer token after subscribing to publisher Bearer token was resolved immediately after calling method convert. In situations when malformed token was provided or authorization header and access token query param were present in request exception was thrown instead of signalling error. After this change Bearer token is resolved on subscription and invalid states are handled by signaling error to subscriber. Closes gh-8865 --- .../ServerBearerTokenAuthenticationConverter.java | 2 +- ...ServerBearerTokenAuthenticationConverterTests.java | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java index 24d6969c11..3fb802cf5d 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java @@ -48,7 +48,7 @@ public class ServerBearerTokenAuthenticationConverter private boolean allowUriQueryParameter = false; public Mono convert(ServerWebExchange exchange) { - return Mono.justOrEmpty(token(exchange.getRequest())) + return Mono.fromCallable(() -> token(exchange.getRequest())) .map(token -> { if (token.isEmpty()) { BearerTokenError error = invalidTokenError(); diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java index c16f65c373..7b300cdbcb 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java @@ -122,6 +122,17 @@ public class ServerBearerTokenAuthenticationConverterTests { .hasMessageContaining(("Bearer token is malformed")); } + // gh-8865 + @Test + public void resolveWhenHeaderWithInvalidCharactersIsPresentAndNotSubscribedThenNoneExceptionIsThrown() { + MockServerHttpRequest.BaseBuilder request = MockServerHttpRequest + .get("/") + .header(HttpHeaders.AUTHORIZATION, "Bearer an\"invalid\"token"); + + assertThatCode(() -> this.converter.convert(MockServerWebExchange.from(request))) + .doesNotThrowAnyException(); + } + @Test public void resolveWhenValidHeaderIsPresentTogetherWithQueryParameterThenAuthenticationExceptionIsThrown() { MockServerHttpRequest.BaseBuilder request = MockServerHttpRequest