首頁 探索 說明
註冊 登入
github
/
spring-security
镜像来自 https://github.com/spring-projects/spring-security
2
0
複刻 0
檔案 問題管理 0 Wiki
瀏覽代碼

The "Bearer" keyword should be case-insensitive

The Authorization header was matched for OAuth2
against the "Bearer" keyword in a case sensitive
fashion.
According to RFC 2617, it should be case insensitive
and some oauth clients (including some earlier
versions of spring-security) expect it so.
Nicolas Le Bas 6 年之前
父節點
fdc81822ec
當前提交
63f2b6094f
共有 2 個文件被更改,包括 12 次插入2 次删除
分割檢視 顯示文件統計
  1. 4 2
      oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java
  2. 8 0
      oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java

+ 4 - 2
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java
查看文件 

@@ -36,7 +36,9 @@ import org.springframework.util.StringUtils;
 
  */
 
 public final class DefaultBearerTokenResolver implements BearerTokenResolver {
 
 
-	private static final Pattern authorizationPattern = Pattern.compile("^Bearer (?<token>[a-zA-Z0-9-._~+/]+)=*$");
 
+	private static final Pattern authorizationPattern = Pattern.compile(
 
+		"^Bearer (?<token>[a-zA-Z0-9-._~+/]+)=*$",
 
+		Pattern.CASE_INSENSITIVE);
 
 
 	private boolean allowFormEncodedBodyParameter = false;
 
 
@@ -87,7 +89,7 @@ public final class DefaultBearerTokenResolver implements BearerTokenResolver {
 
 
 	private static String resolveFromAuthorizationHeader(HttpServletRequest request) {
 
 		String authorization = request.getHeader(HttpHeaders.AUTHORIZATION);
 
-		if (StringUtils.hasText(authorization) && authorization.startsWith("Bearer")) {
 
+		if (StringUtils.startsWithIgnoreCase(authorization, "bearer")) {
 
 			Matcher matcher = authorizationPattern.matcher(authorization);
 
 
 			if (!matcher.matches()) {

+ 8 - 0
oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java
查看文件 

@@ -51,6 +51,14 @@ public class DefaultBearerTokenResolverTests {
 
 		assertThat(this.resolver.resolve(request)).isEqualTo(TEST_TOKEN);
 
 	}
 
 
+	@Test
 
+	public void resolveWhenLowercaseHeaderIsPresentThenTokenIsResolved() {
 
+		MockHttpServletRequest request = new MockHttpServletRequest();
 
+		request.addHeader("authorization", "bearer " + TEST_TOKEN);
 
+
 
+		assertThat(this.resolver.resolve(request)).isEqualTo(TEST_TOKEN);
 
+	}
 
+
 
 	@Test
 
 	public void resolveWhenNoHeaderIsPresentThenTokenIsNotResolved() {
 
 		MockHttpServletRequest request = new MockHttpServletRequest();