Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Validate Authorization Response

Fixes gh-4657, Issue gh-4654
Joe Grandja 7 years ago
parent
d152a2e2c1
commit
eb2b573426
1 changed files with 7 additions and 6 deletions
Unified View Show Diff Stats
  1. 7 6
      oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationCodeAuthenticationFilter.java

+ 7 - 6
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationCodeAuthenticationFilter.java
View File 

@@ -25,6 +25,7 @@ import org.springframework.security.oauth2.client.authentication.OAuth2ClientAut
 
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 
 import org.springframework.security.oauth2.core.OAuth2Error;
 
 import org.springframework.security.oauth2.core.OAuth2Error;
 
+import org.springframework.security.oauth2.core.OAuth2ErrorCode;
 
 import org.springframework.security.oauth2.core.endpoint.AuthorizationRequest;
 
 import org.springframework.security.oauth2.core.endpoint.AuthorizationRequest;
 
 import org.springframework.security.oauth2.core.endpoint.AuthorizationResponse;
 
 import org.springframework.security.oauth2.core.endpoint.AuthorizationResponse;
 
 import org.springframework.security.oauth2.core.endpoint.OAuth2Parameter;
 
 import org.springframework.security.oauth2.core.endpoint.OAuth2Parameter;
 
@@ -95,6 +96,12 @@ public class AuthorizationCodeAuthenticationFilter extends AbstractAuthenticatio
 
 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 
 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
 
 			throws AuthenticationException, IOException, ServletException {
 
 			throws AuthenticationException, IOException, ServletException {
 
 
 
+		if (!this.authorizationResponseSuccess(request) && !this.authorizationResponseError(request)) {
 
+			OAuth2Error oauth2Error = new OAuth2Error(OAuth2ErrorCode.INVALID_REQUEST);
 
+			throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
 
+		}
 
+		AuthorizationResponse authorizationResponse = this.convert(request);
 
+
 
 		AuthorizationRequest authorizationRequest = this.authorizationRequestRepository.loadAuthorizationRequest(request);
 
 		AuthorizationRequest authorizationRequest = this.authorizationRequestRepository.loadAuthorizationRequest(request);
 
 		if (authorizationRequest == null) {
 
 		if (authorizationRequest == null) {
 
 			OAuth2Error oauth2Error = new OAuth2Error(AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE);
 
 			OAuth2Error oauth2Error = new OAuth2Error(AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE);
 
@@ -102,8 +109,6 @@ public class AuthorizationCodeAuthenticationFilter extends AbstractAuthenticatio
 
 		}
 
 		}
 
 		this.authorizationRequestRepository.removeAuthorizationRequest(request);
 
 		this.authorizationRequestRepository.removeAuthorizationRequest(request);
 
 
 
-		AuthorizationResponse authorizationResponse = this.convert(request);
 
-
 
 		String registrationId = (String)authorizationRequest.getAdditionalParameters().get(OAuth2Parameter.REGISTRATION_ID);
 
 		String registrationId = (String)authorizationRequest.getAdditionalParameters().get(OAuth2Parameter.REGISTRATION_ID);
 
 		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(registrationId);
 
 		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(registrationId);
 
 
 
@@ -144,10 +149,6 @@ public class AuthorizationCodeAuthenticationFilter extends AbstractAuthenticatio
 
 	}
 
 	}
 
 
 
 	private AuthorizationResponse convert(HttpServletRequest request) {
 
 	private AuthorizationResponse convert(HttpServletRequest request) {
 
-		if (!this.authorizationResponseSuccess(request) && !this.authorizationResponseError(request)) {
 
-			return null;
 
-		}
 
-
 
 		String code = request.getParameter(OAuth2Parameter.CODE);
 
 		String code = request.getParameter(OAuth2Parameter.CODE);
 
 		String errorCode = request.getParameter(OAuth2Parameter.ERROR);
 
 		String errorCode = request.getParameter(OAuth2Parameter.ERROR);
 
 		String state = request.getParameter(OAuth2Parameter.STATE);
 
 		String state = request.getParameter(OAuth2Parameter.STATE);