5 年之前 · 7e7f85c18c
--- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java
+++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java
@@ -36,7 +36,7 @@ import org.springframework.util.StringUtils;
 
				  */
			
 
				 public final class DefaultBearerTokenResolver implements BearerTokenResolver {
			
 
				 
			
 
				-	private static final Pattern authorizationPattern = Pattern.compile("^Bearer (?<token>[a-zA-Z0-9-._~+/]+)=*$");
			
 
				+	private static final Pattern authorizationPattern = Pattern.compile("^Bearer (?<token>[a-zA-Z0-9-._~+/]+=*)$");
			
 
				 
			
 
				 	private boolean allowFormEncodedBodyParameter = false;
			
 
				 
			
@@ -98,7 +98,7 @@ public final class DefaultBearerTokenResolver implements BearerTokenResolver {
 
				 				throw new OAuth2AuthenticationException(error);
			
 
				 			}
			
 
				 
			
 
				-			return authorization.substring(7);
			
 
				+			return matcher.group("token");
			
 
				 		}
			
 
				 		return null;
			
 
				 	}
			
--- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java
+++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java
@@ -43,7 +43,7 @@ import java.util.regex.Pattern;
 
				  */
			
 
				 public class ServerBearerTokenAuthenticationConverter
			
 
				 		implements ServerAuthenticationConverter {
			
 
				-	private static final Pattern authorizationPattern = Pattern.compile("^Bearer (?<token>[a-zA-Z0-9-._~+/]+)=*$");
			
 
				+	private static final Pattern authorizationPattern = Pattern.compile("^Bearer (?<token>[a-zA-Z0-9-._~+/]+=*)$");
			
 
				 
			
 
				 	private boolean allowUriQueryParameter = false;
			
 
				 
			
--- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java
+++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java
@@ -1,5 +1,5 @@
 
				 /*
			
 
				- * Copyright 2002-2018 the original author or authors.
			
 
				+ * Copyright 2002-2020 the original author or authors.
			
 
				  *
			
 
				  * Licensed under the Apache License, Version 2.0 (the "License");
			
 
				  * you may not use this file except in compliance with the License.
			
@@ -51,17 +51,9 @@ public class DefaultBearerTokenResolverTests {
 
				 		assertThat(this.resolver.resolve(request)).isEqualTo(TEST_TOKEN);
			
 
				 	}
			
 
				 
			
 
				+	// gh-8502
			
 
				 	@Test
			
 
				-	public void resolveWhenValidHeaderIsPresentWithSingleBytePaddingIndicatorThenTokenIsResolved() {
			
 
				-		String token = TEST_TOKEN + "=";
			
 
				-		MockHttpServletRequest request = new MockHttpServletRequest();
			
 
				-		request.addHeader("Authorization", "Bearer " + token);
			
 
				-
			
 
				-		assertThat(this.resolver.resolve(request)).isEqualTo(token);
			
 
				-	}
			
 
				-
			
 
				-	@Test
			
 
				-	public void resolveWhenValidHeaderIsPresentWithTwoBytesPaddingIndicatorThenTokenIsResolved() {
			
 
				+	public void resolveWhenHeaderEndsWithPaddingIndicatorThenTokenIsResolved() {
			
 
				 		String token = TEST_TOKEN + "==";
			
 
				 		MockHttpServletRequest request = new MockHttpServletRequest();
			
 
				 		request.addHeader("Authorization", "Bearer " + token);
			
--- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java
+++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java
@@ -1,5 +1,5 @@
 
				 /*
			
 
				- * Copyright 2002-2018 the original author or authors.
			
 
				+ * Copyright 2002-2020 the original author or authors.
			
 
				  *
			
 
				  * Licensed under the Apache License, Version 2.0 (the "License");
			
 
				  * you may not use this file except in compliance with the License.
			
@@ -16,8 +16,11 @@
 
				 
			
 
				 package org.springframework.security.oauth2.server.resource.web.server;
			
 
				 
			
 
				+import java.util.Base64;
			
 
				+
			
 
				 import org.junit.Before;
			
 
				 import org.junit.Test;
			
 
				+
			
 
				 import org.springframework.http.HttpHeaders;
			
 
				 import org.springframework.http.HttpStatus;
			
 
				 import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
			
@@ -27,8 +30,6 @@ import org.springframework.security.oauth2.server.resource.BearerTokenAuthentica
 
				 import org.springframework.security.oauth2.server.resource.BearerTokenError;
			
 
				 import org.springframework.security.oauth2.server.resource.BearerTokenErrorCodes;
			
 
				 
			
 
				-import java.util.Base64;
			
 
				-
			
 
				 import static org.assertj.core.api.Assertions.assertThat;
			
 
				 import static org.assertj.core.api.Assertions.assertThatCode;
			
 
				 import static org.assertj.core.api.Assertions.catchThrowableOfType;
			
@@ -56,6 +57,17 @@ public class ServerBearerTokenAuthenticationConverterTests {
 
				 		assertThat(convertToToken(request).getToken()).isEqualTo(TEST_TOKEN);
			
 
				 	}
			
 
				 
			
 
				+	// gh-8502
			
 
				+	@Test
			
 
				+	public void resolveWhenHeaderEndsWithPaddingIndicatorThenTokenIsResolved() {
			
 
				+		String token = TEST_TOKEN + "==";
			
 
				+		MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest
			
 
				+				.get("/")
			
 
				+				.header(HttpHeaders.AUTHORIZATION, "Bearer " + token);
			
 
				+
			
 
				+		assertThat(convertToToken(request).getToken()).isEqualTo(token);
			
 
				+	}
			
 
				+
			
 
				 	// gh-7011
			
 
				 	@Test
			
 
				 	public void resolveWhenValidHeaderIsEmptyStringThenTokenIsResolved() {