Merge branch '6.0.x'

jzheaux · jzheaux · commit 70a6cf69530a · 2022-11-30T14:55:15.000-07:00
Closes gh-12326
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java
@@ -195,8 +195,8 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 					if (authorizationRequest == null) {
 						throw authzEx;
 					}
-					this.sendRedirectForAuthorization(request, response, authorizationRequest);
 					this.requestCache.saveRequest(request, response);
+					this.sendRedirectForAuthorization(request, response, authorizationRequest);
 				}
 				catch (Exception failed) {
 					this.unsuccessfulRedirectForAuthorization(request, response, failed);
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java
@@ -50,6 +50,7 @@
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
+import static org.mockito.BDDMockito.willAnswer;
 import static org.mockito.BDDMockito.willThrow;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
@@ -325,4 +326,22 @@ public void doFilterWhenCustomAuthorizationRedirectStrategySetThenCustomAuthoriz
 						+ "redirect_uri=http://localhost/login/oauth2/code/registration-id");
 	}
 
+	// gh-11602
+
+	@Test
+	public void doFilterWhenNotAuthorizationRequestAndClientAuthorizationRequiredExceptionThrownThenSaveRequestBeforeCommitted()
+			throws Exception {
+		String requestUri = "/path";
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
+		request.setServletPath(requestUri);
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		FilterChain filterChain = mock(FilterChain.class);
+		willAnswer((invocation) -> assertThat((invocation.<HttpServletResponse>getArgument(1)).isCommitted()).isFalse())
+				.given(this.requestCache).saveRequest(any(HttpServletRequest.class), any(HttpServletResponse.class));
+		willThrow(new ClientAuthorizationRequiredException(this.registration1.getRegistrationId())).given(filterChain)
+				.doFilter(any(ServletRequest.class), any(ServletResponse.class));
+		this.filter.doFilter(request, response, filterChain);
+		assertThat(response.isCommitted()).isTrue();
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -195,8 +195,8 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse`
`195`	`195`	`if (authorizationRequest == null) {`
`196`	`196`	`throw authzEx;`
`197`	`197`	`}`
`198`		`- this.sendRedirectForAuthorization(request, response, authorizationRequest);`
`199`	`198`	`this.requestCache.saveRequest(request, response);`
	`199`	`+ this.sendRedirectForAuthorization(request, response, authorizationRequest);`
`200`	`200`	`}`
`201`	`201`	`catch (Exception failed) {`
`202`	`202`	`this.unsuccessfulRedirectForAuthorization(request, response, failed);`