Don't Consume Request Body

Per the servlet spec, getParameter(name) consumes the request body for
POST requests.

This commit prevents DefaultOAuth2AuthorizationRequestResolver from
consuming the request body for non-Authorization requests.

Closes gh-8650
This commit is contained in:
Erik Bakker 2020-06-04 11:34:00 +02:00 committed by Josh Cummings
parent 24a04f9c5f
commit cd3fd6762f
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
2 changed files with 25 additions and 0 deletions

View File

@ -87,6 +87,9 @@ public final class DefaultOAuth2AuthorizationRequestResolver implements OAuth2Au
@Override
public OAuth2AuthorizationRequest resolve(HttpServletRequest request) {
String registrationId = this.resolveRegistrationId(request);
if (registrationId == null) {
return null;
}
String redirectUriAction = getAction(request, "login");
return resolve(request, registrationId, redirectUriAction);
}

View File

@ -15,8 +15,12 @@
*/
package org.springframework.security.oauth2.client.web;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import javax.servlet.http.HttpServletRequest;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
@ -99,6 +103,24 @@ public class DefaultOAuth2AuthorizationRequestResolverTests {
assertThat(authorizationRequest).isNull();
}
@Test
public void resolveWhenNotAuthorizationRequestThenRequestBodyNotConsumed() throws IOException {
String requestUri = "/path";
MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri);
request.setContent("foo".getBytes(StandardCharsets.UTF_8));
request.setCharacterEncoding(StandardCharsets.UTF_8.name());
HttpServletRequest spyRequest = Mockito.spy(request);
this.resolver.resolve(spyRequest);
Mockito.verify(spyRequest, Mockito.never()).getReader();
Mockito.verify(spyRequest, Mockito.never()).getInputStream();
Mockito.verify(spyRequest, Mockito.never()).getParameter(Mockito.anyString());
Mockito.verify(spyRequest, Mockito.never()).getParameterMap();
Mockito.verify(spyRequest, Mockito.never()).getParameterNames();
Mockito.verify(spyRequest, Mockito.never()).getParameterValues(Mockito.anyString());
}
@Test
public void resolveWhenAuthorizationRequestWithInvalidClientThenThrowIllegalArgumentException() {
ClientRegistration clientRegistration = this.registration1;