首页 发现 帮助
注册 登录
github
/
spring-security
镜像自地址 https://github.com/spring-projects/spring-security
2
0
派生 0
文件 工单管理 0 Wiki
浏览代码

Accept a case-insensitive "Bearer" keyword

The Authorization header was matched for OAuth2
against the "Bearer" keyword in a case sensitive
fashion.
According to RFC 2617, it should be case insensitive
and some oauth clients (including some earlier
versions of spring-security) expect it so.

This is the reactive counterpart to commit
63f2b6094f59cc9ded6a83ac3def4a1726890a8b .

Fixes gh-6195
Nicolas Le Bas 6 年之前
父节点
60fc5381fe
当前提交
ba8a337f9a
共有 2 个文件被更改,包括 13 次插入2 次删除
分列视图 显示文件统计
  1. 4 2
      oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java
  2. 9 0
      oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java

+ 4 - 2
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java
查看文件 

@@ -43,7 +43,9 @@ import java.util.regex.Pattern;
 
  */
 
 public class ServerBearerTokenAuthenticationConverter
 
 		implements ServerAuthenticationConverter {
 
-	private static final Pattern authorizationPattern = Pattern.compile("^Bearer (?<token>[a-zA-Z0-9-._~+/]+)=*$");
 
+	private static final Pattern authorizationPattern = Pattern.compile(
 
+		"^Bearer (?<token>[a-zA-Z0-9-._~+/]+)=*$",
 
+		Pattern.CASE_INSENSITIVE);
 
 
 	private boolean allowUriQueryParameter = false;
 
 
@@ -85,7 +87,7 @@ public class ServerBearerTokenAuthenticationConverter
 
 
 	private static String resolveFromAuthorizationHeader(HttpHeaders headers) {
 
 		String authorization = headers.getFirst(HttpHeaders.AUTHORIZATION);
 
-		if (StringUtils.hasText(authorization) && authorization.startsWith("Bearer")) {
 
+		if (StringUtils.startsWithIgnoreCase(authorization, "bearer")) {
 
 			Matcher matcher = authorizationPattern.matcher(authorization);
 
 
 			if ( !matcher.matches() ) {

+ 9 - 0
oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java
查看文件 

@@ -52,6 +52,15 @@ public class ServerBearerTokenAuthenticationConverterTests {
 
 		assertThat(convertToToken(request).getToken()).isEqualTo(TEST_TOKEN);
 
 	}
 
 
+	@Test
 
+	public void resolveWhenLowercaseHeaderIsPresentThenTokenIsResolved() {
 
+		MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest
 
+				.get("/")
 
+				.header(HttpHeaders.AUTHORIZATION, "bearer " + TEST_TOKEN);
 
+
 
+		assertThat(convertToToken(request).getToken()).isEqualTo(TEST_TOKEN);
 
+	}
 
+
 
 	@Test
 
 	public void resolveWhenNoHeaderIsPresentThenTokenIsNotResolved() {
 
 		MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest