Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 01:02:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove state assertion when loading OAuth2AuthorizationRequest

Browse Source 
Fixes gh-5163
This commit is contained in:
Joe Grandja 2018-03-27 17:16:18 -04:00
parent ec46b7dbe1
commit ce2f669245
2 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/HttpSessionOAuth2AuthorizationRequestRepository.java
View File

@ -44,8 +44,10 @@ public final class HttpSessionOAuth2AuthorizationRequestRepository implements Au
@Override @Override
public OAuth2AuthorizationRequest loadAuthorizationRequest(HttpServletRequest request) { public OAuth2AuthorizationRequest loadAuthorizationRequest(HttpServletRequest request) {
Assert.notNull(request, "request cannot be null"); Assert.notNull(request, "request cannot be null");
String stateParameter = getStateParameter(request); String stateParameter = this.getStateParameter(request);
Assert.hasText(stateParameter, "state parameter cannot be empty"); if (stateParameter == null) {
return null;
}
Map<String, OAuth2AuthorizationRequest> authorizationRequests = this.getAuthorizationRequests(request); Map<String, OAuth2AuthorizationRequest> authorizationRequests = this.getAuthorizationRequests(request);
return authorizationRequests.get(stateParameter); return authorizationRequests.get(stateParameter);
} }
@ -69,7 +71,7 @@ public final class HttpSessionOAuth2AuthorizationRequestRepository implements Au
@Override @Override
public OAuth2AuthorizationRequest removeAuthorizationRequest(HttpServletRequest request) { public OAuth2AuthorizationRequest removeAuthorizationRequest(HttpServletRequest request) {
Assert.notNull(request, "request cannot be null"); Assert.notNull(request, "request cannot be null");
String stateParameter = getStateParameter(request); String stateParameter = this.getStateParameter(request);
if (stateParameter == null) { if (stateParameter == null) {
return null; return null;
} }

11
oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/HttpSessionOAuth2AuthorizationRequestRepositoryTests.java
View File

@ -15,9 +15,6 @@
*/ */
package org.springframework.security.oauth2.client.web; package org.springframework.security.oauth2.client.web;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
import org.junit.Test; import org.junit.Test;
import org.junit.runner.RunWith; import org.junit.runner.RunWith;
import org.mockito.junit.MockitoJUnitRunner; import org.mockito.junit.MockitoJUnitRunner;
@ -30,6 +27,9 @@ import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
/** /**
* Tests for {@link HttpSessionOAuth2AuthorizationRequestRepository}. * Tests for {@link HttpSessionOAuth2AuthorizationRequestRepository}.
* *
@ -107,15 +107,14 @@ public class HttpSessionOAuth2AuthorizationRequestRepositoryTests {
} }
@Test @Test
public void loadAuthorizationRequestWhenSavedAndStateParameterNullThenThrowIllegalArgumentException() { public void loadAuthorizationRequestWhenSavedAndStateParameterNullThenReturnNull() {
MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletRequest request = new MockHttpServletRequest();
OAuth2AuthorizationRequest authorizationRequest = createAuthorizationRequest().build(); OAuth2AuthorizationRequest authorizationRequest = createAuthorizationRequest().build();
this.authorizationRequestRepository.saveAuthorizationRequest( this.authorizationRequestRepository.saveAuthorizationRequest(
authorizationRequest, request, new MockHttpServletResponse()); authorizationRequest, request, new MockHttpServletResponse());
assertThatThrownBy(() -> this.authorizationRequestRepository.loadAuthorizationRequest(request)) assertThat(this.authorizationRequestRepository.loadAuthorizationRequest(request)).isNull();
.isInstanceOf(IllegalArgumentException.class);
} }
@Test @Test