Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Fix OAuth2AuthorizationRequestRedirectWebFilter baseurl exclude querystring

To create redirect_uri in OAuth2AuthorizationRequestRedirectWebFilter,
queryParam is included in the current request-based baseUrl.
So when binding to the redirectUriTemplate,
the wrong type of redirect_uri may be created.

Fixed: gh-5520
mhyeon.lee 7 years ago
parent
195a6943e2
commit
ba29b363fc
2 changed files with 21 additions and 0 deletions
Split View Show Diff Stats
  1. 1 0
      oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilter.java
  2. 20 0
      oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilterTests.java

+ 1 - 0
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilter.java
View File 

@@ -199,6 +199,7 @@ public class OAuth2AuthorizationRequestRedirectWebFilter implements WebFilter {
 
 
 		String baseUrl = UriComponentsBuilder.fromHttpRequest(new ServerHttpRequestDecorator(request))
 
 				.replacePath(request.getPath().contextPath().value())
 
+				.replaceQuery(null)
 
 				.build()
 
 				.toUriString();
 
 		uriVariables.put("baseUrl", baseUrl);

+ 20 - 0
oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilterTests.java
View File 

@@ -135,6 +135,26 @@ public class OAuth2AuthorizationRequestRedirectWebFilterTests {
 
 		verify(this.authzRequestRepository).saveAuthorizationRequest(any(), any());
 
 	}
 
 
+	// gh-5520
 
+	@Test
 
+	public void filterWhenDoesMatchThenResolveRedirectUriExpandedExcludesQueryString() {
 
+		FluxExchangeResult<String> result = this.client.get()
 
+				.uri("https://example.com/oauth2/authorization/github?foo=bar").exchange()
 
+				.expectStatus().is3xxRedirection().returnResult(String.class);
 
+		result.assertWithDiagnostics(() -> {
 
+			URI location = result.getResponseHeaders().getLocation();
 
+			assertThat(location)
 
+					.hasScheme("https")
 
+					.hasHost("github.com")
 
+					.hasPath("/login/oauth/authorize")
 
+					.hasParameter("response_type", "code")
 
+					.hasParameter("client_id", "clientId")
 
+					.hasParameter("scope", "read:user")
 
+					.hasParameter("state")
 
+					.hasParameter("redirect_uri", "https://example.com/login/oauth2/code/github");
 
+		});
 
+	}
 
+
 
 	@Test
 
 	public void filterWhenExceptionThenRedirected() {
 
 		FilteringWebHandler webHandler = new FilteringWebHandler(e -> Mono.error(new ClientAuthorizationRequiredException(this.github.getRegistrationId())), Arrays.asList(this.filter));