diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java index ae14e621a3..044280f112 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java @@ -52,7 +52,7 @@ public class ServerBearerTokenAuthenticationConverter private boolean allowUriQueryParameter = false; public Mono convert(ServerWebExchange exchange) { - return Mono.justOrEmpty(token(exchange.getRequest())) + return Mono.fromCallable(() -> token(exchange.getRequest())) .map(token -> { if (token.isEmpty()) { BearerTokenError error = invalidTokenError(); diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java index 16e4740f34..03d663f0cb 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java @@ -131,6 +131,17 @@ public class ServerBearerTokenAuthenticationConverterTests { .hasMessageContaining(("Bearer token is malformed")); } + // gh-8865 + @Test + public void resolveWhenHeaderWithInvalidCharactersIsPresentAndNotSubscribedThenNoneExceptionIsThrown() { + MockServerHttpRequest.BaseBuilder request = MockServerHttpRequest + .get("/") + .header(HttpHeaders.AUTHORIZATION, "Bearer an\"invalid\"token"); + + assertThatCode(() -> this.converter.convert(MockServerWebExchange.from(request))) + .doesNotThrowAnyException(); + } + @Test public void resolveWhenValidHeaderIsPresentTogetherWithQueryParameterThenAuthenticationExceptionIsThrown() { MockServerHttpRequest.BaseBuilder request = MockServerHttpRequest