صفحهٔ اصلی گشت‌و‌گذار راهنما
ثبت نام ورود
github
/
spring-security
mirrorاز https://github.com/spring-projects/spring-security
2
0
انشعاب 0
پرونده‌ها مشکلات 0 ویکی
فهرست منبع

Fix error when Bearer token is requested with empty string

Issue gh-15885
Hyeongi Jeong 10 ماه پیش
والد
18129f3af3
کامیت
4c6fef82b9
4فایلهای تغییر یافته به همراه46 افزوده شده و 2 حذف شده
مشاهده تقسیم شده نمایش آمار تفاوت ها
  1. 5 0
      oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java
  2. 5 0
      oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java
  3. 34 0
      oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java
  4. 2 2
      oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java

+ 5 - 0
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java
مشاهده فایل 

@@ -64,6 +64,11 @@ public final class DefaultBearerTokenResolver implements BearerTokenResolver {
 
 			return authorizationHeaderToken;
 
 		}
 
 		if (parameterToken != null && isParameterTokenEnabledForRequest(request)) {
 
+			if (!StringUtils.hasText(parameterToken)) {
 
+				final BearerTokenError error = BearerTokenErrors
 
+					.invalidRequest("The requested token parameter is an empty string");
 
+				throw new OAuth2AuthenticationException(error);
 
+			}
 
 			return parameterToken;
 
 		}
 
 		return null;

+ 5 - 0
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java
مشاهده فایل 

@@ -78,6 +78,11 @@ public class ServerBearerTokenAuthenticationConverter implements ServerAuthentic
 
 			return authorizationHeaderToken;
 
 		}
 
 		if (parameterToken != null && isParameterTokenSupportedForRequest(request)) {
 
+			if (!StringUtils.hasText(parameterToken)) {
 
+				final BearerTokenError error = BearerTokenErrors
 
+					.invalidRequest("The requested token parameter is an empty string");
 
+				throw new OAuth2AuthenticationException(error);
 
+			}
 
 			return parameterToken;
 
 		}
 
 		return null;

+ 34 - 0
oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java
مشاهده فایل 

@@ -21,8 +21,11 @@ import java.util.Base64;
 
 import org.junit.jupiter.api.BeforeEach;
 
 import org.junit.jupiter.api.Test;
 
 
+import org.springframework.http.HttpStatus;
 
 import org.springframework.mock.web.MockHttpServletRequest;
 
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 
+import org.springframework.security.oauth2.server.resource.BearerTokenError;
 
+import org.springframework.security.oauth2.server.resource.BearerTokenErrorCodes;
 
 
 import static org.assertj.core.api.Assertions.assertThat;
 
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 
@@ -258,4 +261,35 @@ public class DefaultBearerTokenResolverTests {
 
 		assertThat(this.resolver.resolve(request)).isNull();
 
 	}
 
 
+	@Test
 
+	public void resolveWhenQueryParameterIsPresentAndEmptyStringThenTokenIsNotResolved() {
 
+		this.resolver.setAllowUriQueryParameter(true);
 
+		MockHttpServletRequest request = new MockHttpServletRequest();
 
+		request.setMethod("GET");
 
+		request.addParameter("access_token", "");
 
+		assertThatExceptionOfType(OAuth2AuthenticationException.class).isThrownBy(() -> this.resolver.resolve(request))
 
+			.withMessageContaining("The requested token parameter is an empty string")
 
+			.satisfies((e) -> {
 
+				BearerTokenError error = (BearerTokenError) e.getError();
 
+				assertThat(error.getErrorCode()).isEqualTo(BearerTokenErrorCodes.INVALID_REQUEST);
 
+				assertThat(error.getHttpStatus()).isEqualTo(HttpStatus.BAD_REQUEST);
 
+			});
 
+	}
 
+
 
+	@Test
 
+	public void resolveWhenFormParameterIsPresentAndEmptyStringThenTokenIsNotResolved() {
 
+		this.resolver.setAllowFormEncodedBodyParameter(true);
 
+		MockHttpServletRequest request = new MockHttpServletRequest();
 
+		request.setMethod("POST");
 
+		request.setContentType("application/x-www-form-urlencoded");
 
+		request.addParameter("access_token", "");
 
+		assertThatExceptionOfType(OAuth2AuthenticationException.class).isThrownBy(() -> this.resolver.resolve(request))
 
+			.withMessageContaining("The requested token parameter is an empty string")
 
+			.satisfies((e) -> {
 
+				BearerTokenError error = (BearerTokenError) e.getError();
 
+				assertThat(error.getErrorCode()).isEqualTo(BearerTokenErrorCodes.INVALID_REQUEST);
 
+				assertThat(error.getHttpStatus()).isEqualTo(HttpStatus.BAD_REQUEST);
 
+			});
 
+	}
 
+
 
 }

+ 2 - 2
oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java
مشاهده فایل 

@@ -187,9 +187,9 @@ public class ServerBearerTokenAuthenticationConverterTests {
 
 				.isThrownBy(() -> convertToToken(request))
 
 				.satisfies((ex) -> {
 
 					BearerTokenError error = (BearerTokenError) ex.getError();
 
-					assertThat(error.getErrorCode()).isEqualTo(BearerTokenErrorCodes.INVALID_TOKEN);
 
+					assertThat(error.getErrorCode()).isEqualTo(BearerTokenErrorCodes.INVALID_REQUEST);
 
 					assertThat(error.getUri()).isEqualTo("https://tools.ietf.org/html/rfc6750#section-3.1");
 
-					assertThat(error.getHttpStatus()).isEqualTo(HttpStatus.UNAUTHORIZED);
 
+					assertThat(error.getHttpStatus()).isEqualTo(HttpStatus.BAD_REQUEST);
 
 				});
 
 		// @formatter:on
 
 	}