Strona główna Odkrywaj Pomoc
Zarejestruj się Zaloguj się
github
/
spring-security
kopia lustrzana https://github.com/spring-projects/spring-security
2
0
Forkuj 0
Pliki Problemy 0 Wiki
Przeglądaj źródła

Don't Consume Request Body

Per the servlet spec, getParameter(name) consumes the request body for
POST requests.

This commit prevents DefaultOAuth2AuthorizationRequestResolver from
consuming the request body for non-Authorization requests.

Closes gh-8650
Erik Bakker 5 lat temu
rodzic
24a04f9c5f
commit
cd3fd6762f
2 zmienionych plików z 25 dodań i 0 usunięć
Widok podzielony Pokaż statystyki zmian
  1. 3 0
      oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java
  2. 22 0
      oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java

+ 3 - 0
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java
Wyświetl plik 

@@ -87,6 +87,9 @@ public final class DefaultOAuth2AuthorizationRequestResolver implements OAuth2Au
 
 	@Override
 
 	public OAuth2AuthorizationRequest resolve(HttpServletRequest request) {
 
 		String registrationId = this.resolveRegistrationId(request);
 
+		if (registrationId == null) {
 
+			return null;
 
+		}
 
 		String redirectUriAction = getAction(request, "login");
 
 		return resolve(request, registrationId, redirectUriAction);
 
 	}

+ 22 - 0
oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java
Wyświetl plik 

@@ -15,8 +15,12 @@
 
  */
 
 package org.springframework.security.oauth2.client.web;
 
 
+import java.io.IOException;
 
+import java.nio.charset.StandardCharsets;
 
+import javax.servlet.http.HttpServletRequest;
 
 import org.junit.Before;
 
 import org.junit.Test;
 
+import org.mockito.Mockito;
 
 import org.springframework.mock.web.MockHttpServletRequest;
 
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 
@@ -99,6 +103,24 @@ public class DefaultOAuth2AuthorizationRequestResolverTests {
 
 		assertThat(authorizationRequest).isNull();
 
 	}
 
 
+	@Test
 
+	public void resolveWhenNotAuthorizationRequestThenRequestBodyNotConsumed() throws IOException {
 
+		String requestUri = "/path";
 
+		MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri);
 
+		request.setContent("foo".getBytes(StandardCharsets.UTF_8));
 
+		request.setCharacterEncoding(StandardCharsets.UTF_8.name());
 
+		HttpServletRequest spyRequest = Mockito.spy(request);
 
+
 
+		this.resolver.resolve(spyRequest);
 
+
 
+		Mockito.verify(spyRequest, Mockito.never()).getReader();
 
+		Mockito.verify(spyRequest, Mockito.never()).getInputStream();
 
+		Mockito.verify(spyRequest, Mockito.never()).getParameter(Mockito.anyString());
 
+		Mockito.verify(spyRequest, Mockito.never()).getParameterMap();
 
+		Mockito.verify(spyRequest, Mockito.never()).getParameterNames();
 
+		Mockito.verify(spyRequest, Mockito.never()).getParameterValues(Mockito.anyString());
 
+	}
 
+
 
 	@Test
 
 	public void resolveWhenAuthorizationRequestWithInvalidClientThenThrowIllegalArgumentException() {
 
 		ClientRegistration clientRegistration = this.registration1;