Home Explore Help
Register Sign In
github
/
spring-authorization-server
mirror of https://github.com/spring-projects/spring-authorization-server
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Polish OAuth2AuthorizationServerSecurity

Issue gh-91
Joe Grandja 5 years ago
parent
54d3bf882a
commit
847814b322
3 changed files with 13 additions and 8 deletions
Split View Show Diff Stats
  1. 10 0
      config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2AuthorizationServerSecurity.java
  2. 1 3
      config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java
  3. 2 5
      config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java

+ 10 - 0
config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2AuthorizationServerSecurity.java
View File 

@@ -15,8 +15,12 @@
 
  */
 
 package org.springframework.security.config.annotation.web.configuration;
 
 
+import org.springframework.http.HttpMethod;
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer;
 
+import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter;
 
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
+import org.springframework.security.web.util.matcher.RequestMatcher;
 
 
 import static org.springframework.security.config.Customizer.withDefaults;
 
 
@@ -37,8 +41,14 @@ public class OAuth2AuthorizationServerSecurity extends WebSecurityConfigurerAdap
 
 						.anyRequest().authenticated()
 
 			)
 
 			.formLogin(withDefaults())
 
+			.csrf(csrf -> csrf.ignoringRequestMatchers(tokenEndpointMatcher()))
 
 			.apply(new OAuth2AuthorizationServerConfigurer<>());
 
 	}
 
 	// @formatter:on
 
 
+	private static RequestMatcher tokenEndpointMatcher() {
 
+		return new AntPathRequestMatcher(
 
+				OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI,
 
+				HttpMethod.POST.name());
 
+	}
 
 }

+ 1 - 3
config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java
View File 

@@ -61,7 +61,6 @@ import static org.mockito.Mockito.reset;
 
 import static org.mockito.Mockito.verify;
 
 import static org.mockito.Mockito.verifyNoInteractions;
 
 import static org.mockito.Mockito.when;
 
-import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
 
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
 
@@ -150,8 +149,7 @@ public class OAuth2AuthorizationCodeGrantTests {
 
 		this.mvc.perform(MockMvcRequestBuilders.post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
 
 				.params(getTokenRequestParameters(registeredClient, authorization))
 
 				.header(HttpHeaders.AUTHORIZATION, "Basic " + encodeBasicAuth(
 
-						registeredClient.getClientId(), registeredClient.getClientSecret()))
 
-				.with(csrf()))
 
+						registeredClient.getClientId(), registeredClient.getClientSecret())))
 
 				.andExpect(status().isOk())
 
 				.andExpect(header().string(HttpHeaders.CACHE_CONTROL, containsString("no-store")))
 
 				.andExpect(header().string(HttpHeaders.PRAGMA, containsString("no-cache")));

+ 2 - 5
config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java
View File 

@@ -49,7 +49,6 @@ import static org.mockito.Mockito.reset;
 
 import static org.mockito.Mockito.verify;
 
 import static org.mockito.Mockito.verifyNoInteractions;
 
 import static org.mockito.Mockito.when;
 
-import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -88,8 +87,7 @@ public class OAuth2ClientCredentialsGrantTests {
 
 		this.spring.register(AuthorizationServerConfiguration.class).autowire();
 
 
 		this.mvc.perform(MockMvcRequestBuilders.post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
 
-				.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
 
-				.with(csrf()))
 
+				.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue()))
 
 				.andExpect(status().isUnauthorized());
 
 
 		verifyNoInteractions(registeredClientRepository);
 
@@ -108,8 +106,7 @@ public class OAuth2ClientCredentialsGrantTests {
 
 				.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
 
 				.param(OAuth2ParameterNames.SCOPE, "scope1 scope2")
 
 				.header(HttpHeaders.AUTHORIZATION, "Basic " + encodeBasicAuth(
 
-						registeredClient.getClientId(), registeredClient.getClientSecret()))
 
-				.with(csrf()))
 
+						registeredClient.getClientId(), registeredClient.getClientSecret())))
 
 				.andExpect(status().isOk())
 
 				.andExpect(jsonPath("$.access_token").isNotEmpty())
 
 				.andExpect(jsonPath("$.scope").value("scope1 scope2"));