Don't Consume Request Body
Per the servlet spec, getParameter(name) consumes the request body for POST requests. This commit prevents DefaultOAuth2AuthorizationRequestResolver from consuming the request body for non-Authorization requests. Closes gh-8650
This commit is contained in:
parent
24a04f9c5f
commit
cd3fd6762f
|
@ -87,6 +87,9 @@ public final class DefaultOAuth2AuthorizationRequestResolver implements OAuth2Au
|
|||
@Override
|
||||
public OAuth2AuthorizationRequest resolve(HttpServletRequest request) {
|
||||
String registrationId = this.resolveRegistrationId(request);
|
||||
if (registrationId == null) {
|
||||
return null;
|
||||
}
|
||||
String redirectUriAction = getAction(request, "login");
|
||||
return resolve(request, registrationId, redirectUriAction);
|
||||
}
|
||||
|
|
|
@ -15,8 +15,12 @@
|
|||
*/
|
||||
package org.springframework.security.oauth2.client.web;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.mockito.Mockito;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
|
||||
|
@ -99,6 +103,24 @@ public class DefaultOAuth2AuthorizationRequestResolverTests {
|
|||
assertThat(authorizationRequest).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resolveWhenNotAuthorizationRequestThenRequestBodyNotConsumed() throws IOException {
|
||||
String requestUri = "/path";
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri);
|
||||
request.setContent("foo".getBytes(StandardCharsets.UTF_8));
|
||||
request.setCharacterEncoding(StandardCharsets.UTF_8.name());
|
||||
HttpServletRequest spyRequest = Mockito.spy(request);
|
||||
|
||||
this.resolver.resolve(spyRequest);
|
||||
|
||||
Mockito.verify(spyRequest, Mockito.never()).getReader();
|
||||
Mockito.verify(spyRequest, Mockito.never()).getInputStream();
|
||||
Mockito.verify(spyRequest, Mockito.never()).getParameter(Mockito.anyString());
|
||||
Mockito.verify(spyRequest, Mockito.never()).getParameterMap();
|
||||
Mockito.verify(spyRequest, Mockito.never()).getParameterNames();
|
||||
Mockito.verify(spyRequest, Mockito.never()).getParameterValues(Mockito.anyString());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resolveWhenAuthorizationRequestWithInvalidClientThenThrowIllegalArgumentException() {
|
||||
ClientRegistration clientRegistration = this.registration1;
|
||||
|
|
Loading…
Reference in New Issue