From f0a81731128348535d27fbbd3eeb865a24e865d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonah=20Kl=C3=B6ckner?= Date: Tue, 5 Nov 2024 09:30:03 +0100 Subject: [PATCH 1/8] Evaluate URI query parameter only if enabled in reactive stack Issue gh-16038 --- .../ServerBearerTokenAuthenticationConverter.java | 12 ++++++------ ...rverBearerTokenAuthenticationConverterTests.java | 13 ++++++++++++- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java index d30cd8e05af..6d15382f7ca 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -77,13 +77,13 @@ private String token(ServerHttpRequest request) { } return authorizationHeaderToken; } - if (parameterToken != null && isParameterTokenSupportedForRequest(request)) { - return parameterToken; - } - return null; + return parameterToken; } - private static String resolveAccessTokenFromRequest(ServerHttpRequest request) { + private String resolveAccessTokenFromRequest(ServerHttpRequest request) { + if (!isParameterTokenSupportedForRequest(request)) { + return null; + } List parameterTokens = request.getQueryParams().get("access_token"); if (CollectionUtils.isEmpty(parameterTokens)) { return null; diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java index 6d9c7a5b98f..42decc77e83 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -157,6 +157,7 @@ public void resolveWhenHeaderWithInvalidCharactersIsPresentAndNotSubscribedThenN @Test public void resolveWhenValidHeaderIsPresentTogetherWithQueryParameterThenAuthenticationExceptionIsThrown() { // @formatter:off + this.converter.setAllowUriQueryParameter(true); MockServerHttpRequest.BaseBuilder request = MockServerHttpRequest.get("/") .queryParam("access_token", TEST_TOKEN) .header(HttpHeaders.AUTHORIZATION, "Bearer " + TEST_TOKEN); @@ -205,6 +206,7 @@ public void resolveWhenQueryParameterIsPresentAndNotSupportedThenTokenIsNotResol @Test void resolveWhenQueryParameterHasMultipleAccessTokensThenOAuth2AuthenticationException() { + this.converter.setAllowUriQueryParameter(true); MockServerHttpRequest.BaseBuilder request = MockServerHttpRequest.get("/") .queryParam("access_token", TEST_TOKEN, TEST_TOKEN); assertThatExceptionOfType(OAuth2AuthenticationException.class).isThrownBy(() -> convertToToken(request)) @@ -217,6 +219,15 @@ void resolveWhenQueryParameterHasMultipleAccessTokensThenOAuth2AuthenticationExc } + //gh-16038 + @Test + void resoleWhenAllowUriQueryParameterIsFalseThenQueryParameterIsIgnored() { + this.converter.setAllowUriQueryParameter(false); + MockServerHttpRequest.BaseBuilder request = MockServerHttpRequest.get("/") + .queryParam("access_token", TEST_TOKEN); + assertThat(convertToToken(request)).isNull(); + } + private BearerTokenAuthenticationToken convertToToken(MockServerHttpRequest.BaseBuilder request) { return convertToToken(request.build()); } From 80fd04188c54fc801b07ce04e3c5722d3dd67fee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonah=20Kl=C3=B6ckner?= Date: Tue, 5 Nov 2024 10:18:02 +0100 Subject: [PATCH 2/8] Evaluate parameter access token only if enabled in servlet stack Issue gh-16038 --- .../web/DefaultBearerTokenResolver.java | 13 ++------- .../web/DefaultBearerTokenResolverTests.java | 29 ++++++++++++++++++- 2 files changed, 31 insertions(+), 11 deletions(-) diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java index da357ca9c99..49426922198 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -53,7 +53,7 @@ public final class DefaultBearerTokenResolver implements BearerTokenResolver { @Override public String resolve(final HttpServletRequest request) { final String authorizationHeaderToken = resolveFromAuthorizationHeader(request); - final String parameterToken = isParameterTokenSupportedForRequest(request) + final String parameterToken = isParameterTokenEnabledForRequest(request) ? resolveFromRequestParameters(request) : null; if (authorizationHeaderToken != null) { if (parameterToken != null) { @@ -63,10 +63,7 @@ public String resolve(final HttpServletRequest request) { } return authorizationHeaderToken; } - if (parameterToken != null && isParameterTokenEnabledForRequest(request)) { - return parameterToken; - } - return null; + return parameterToken; } /** @@ -129,10 +126,6 @@ private static String resolveFromRequestParameters(HttpServletRequest request) { throw new OAuth2AuthenticationException(error); } - private boolean isParameterTokenSupportedForRequest(final HttpServletRequest request) { - return isFormEncodedRequest(request) || isGetRequest(request); - } - private static boolean isGetRequest(HttpServletRequest request) { return HttpMethod.GET.name().equals(request.getMethod()); } diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java index e5cfca01c33..af62136565a 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -107,6 +107,7 @@ public void resolveWhenHeaderWithInvalidCharactersIsPresentThenAuthenticationExc @Test public void resolveWhenValidHeaderIsPresentTogetherWithFormParameterThenAuthenticationExceptionIsThrown() { + this.resolver.setAllowFormEncodedBodyParameter(true); MockHttpServletRequest request = new MockHttpServletRequest(); request.addHeader("Authorization", "Bearer " + TEST_TOKEN); request.setMethod("POST"); @@ -118,6 +119,7 @@ public void resolveWhenValidHeaderIsPresentTogetherWithFormParameterThenAuthenti @Test public void resolveWhenValidHeaderIsPresentTogetherWithQueryParameterThenAuthenticationExceptionIsThrown() { + this.resolver.setAllowUriQueryParameter(true); MockHttpServletRequest request = new MockHttpServletRequest(); request.addHeader("Authorization", "Bearer " + TEST_TOKEN); request.setMethod("GET"); @@ -130,6 +132,7 @@ public void resolveWhenValidHeaderIsPresentTogetherWithQueryParameterThenAuthent // gh-10326 @Test public void resolveWhenRequestContainsTwoAccessTokenQueryParametersThenAuthenticationExceptionIsThrown() { + this.resolver.setAllowUriQueryParameter(true); MockHttpServletRequest request = new MockHttpServletRequest(); request.setMethod("GET"); request.addParameter("access_token", "token1", "token2"); @@ -140,6 +143,7 @@ public void resolveWhenRequestContainsTwoAccessTokenQueryParametersThenAuthentic // gh-10326 @Test public void resolveWhenRequestContainsTwoAccessTokenFormParametersThenAuthenticationExceptionIsThrown() { + this.resolver.setAllowFormEncodedBodyParameter(true); MockHttpServletRequest request = new MockHttpServletRequest(); request.setMethod("POST"); request.setContentType("application/x-www-form-urlencoded"); @@ -232,6 +236,7 @@ public void resolveWhenPostAndFormParameterIsSupportedAndQueryParameterIsPresent @Test public void resolveWhenFormParameterIsPresentAndNotSupportedThenTokenIsNotResolved() { + this.resolver.setAllowFormEncodedBodyParameter(false); MockHttpServletRequest request = new MockHttpServletRequest(); request.setMethod("POST"); request.setContentType("application/x-www-form-urlencoded"); @@ -258,4 +263,26 @@ public void resolveWhenQueryParameterIsPresentAndNotSupportedThenTokenIsNotResol assertThat(this.resolver.resolve(request)).isNull(); } + // gh-16038 + @Test + void resolveWhenRequestContainsTwoAccessTokenFormParametersAndSupportIsDisabledThenTokenIsNotResolved() { + this.resolver.setAllowFormEncodedBodyParameter(false); + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setMethod("POST"); + request.setContentType("application/x-www-form-urlencoded"); + request.addParameter("access_token", "token1", "token2"); + assertThat(this.resolver.resolve(request)).isNull(); + } + + // gh-16038 + @Test + void resolveWhenRequestContainsTwoAccessTokenQueryParameterAndSupportIsDisabledThenTokenIsNotResolved() { + this.resolver.setAllowUriQueryParameter(false); + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setMethod("GET"); + request.setQueryString("access_token=" + TEST_TOKEN); + request.addParameter("access_token", "token1", "token2"); + assertThat(this.resolver.resolve(request)).isNull(); + } + } From dd7d303a0183fbd9d545a4360c7d61464e4b8a99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonah=20Kl=C3=B6ckner?= Date: Tue, 5 Nov 2024 16:10:02 +0100 Subject: [PATCH 3/8] comply with formatting rules gh-16038 --- .../resource/web/DefaultBearerTokenResolver.java | 11 +++++++---- .../ServerBearerTokenAuthenticationConverter.java | 2 +- ...ServerBearerTokenAuthenticationConverterTests.java | 4 ++-- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java index c0d89329165..d0694ae0817 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java @@ -53,8 +53,8 @@ public final class DefaultBearerTokenResolver implements BearerTokenResolver { @Override public String resolve(final HttpServletRequest request) { final String authorizationHeaderToken = resolveFromAuthorizationHeader(request); - final String parameterToken = isParameterTokenEnabledForRequest(request) - ? resolveFromRequestParameters(request) : null; + final String parameterToken = resolveFromRequestParameters(request); + if (authorizationHeaderToken != null) { if (parameterToken != null) { BearerTokenError error = BearerTokenErrors @@ -65,7 +65,7 @@ public String resolve(final HttpServletRequest request) { } if (parameterToken != null && !StringUtils.hasText(parameterToken)) { BearerTokenError error = BearerTokenErrors - .invalidRequest("The requested token parameter is an empty string"); + .invalidRequest("The requested token parameter is an empty string"); throw new OAuth2AuthenticationException(error); } return parameterToken; @@ -119,7 +119,10 @@ private String resolveFromAuthorizationHeader(HttpServletRequest request) { return matcher.group("token"); } - private static String resolveFromRequestParameters(HttpServletRequest request) { + private String resolveFromRequestParameters(HttpServletRequest request) { + if (!isParameterTokenEnabledForRequest(request)) { + return null; + } String[] values = request.getParameterValues(ACCESS_TOKEN_PARAMETER_NAME); if (values == null || values.length == 0) { return null; diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java index bbfcacdbe60..ec7675acd04 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java @@ -79,7 +79,7 @@ private String token(ServerHttpRequest request) { } if (parameterToken != null && !StringUtils.hasText(parameterToken)) { BearerTokenError error = BearerTokenErrors - .invalidRequest("The requested token parameter is an empty string"); + .invalidRequest("The requested token parameter is an empty string"); throw new OAuth2AuthenticationException(error); } return parameterToken; diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java index 086da048439..90be1a3b1be 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java @@ -219,12 +219,12 @@ void resolveWhenQueryParameterHasMultipleAccessTokensThenOAuth2AuthenticationExc } - //gh-16038 + // gh-16038 @Test void resoleWhenAllowUriQueryParameterIsFalseThenQueryParameterIsIgnored() { this.converter.setAllowUriQueryParameter(false); MockServerHttpRequest.BaseBuilder request = MockServerHttpRequest.get("/") - .queryParam("access_token", TEST_TOKEN); + .queryParam("access_token", TEST_TOKEN); assertThat(convertToToken(request)).isNull(); } From cbd66135eac2433f14116ee649a54cf209dd4810 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonah=20Kl=C3=B6ckner?= Date: Wed, 6 Nov 2024 08:46:08 +0100 Subject: [PATCH 4/8] these lines can be omitted since they are the default gh-16038 --- .../resource/web/DefaultBearerTokenResolverTests.java | 6 +----- .../ServerBearerTokenAuthenticationConverterTests.java | 1 - 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java index 582c0144499..6c62d7c27fb 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java @@ -239,7 +239,6 @@ public void resolveWhenPostAndFormParameterIsSupportedAndQueryParameterIsPresent @Test public void resolveWhenFormParameterIsPresentAndNotSupportedThenTokenIsNotResolved() { - this.resolver.setAllowFormEncodedBodyParameter(false); MockHttpServletRequest request = new MockHttpServletRequest(); request.setMethod("POST"); request.setContentType("application/x-www-form-urlencoded"); @@ -269,7 +268,6 @@ public void resolveWhenQueryParameterIsPresentAndNotSupportedThenTokenIsNotResol // gh-16038 @Test void resolveWhenRequestContainsTwoAccessTokenFormParametersAndSupportIsDisabledThenTokenIsNotResolved() { - this.resolver.setAllowFormEncodedBodyParameter(false); MockHttpServletRequest request = new MockHttpServletRequest(); request.setMethod("POST"); request.setContentType("application/x-www-form-urlencoded"); @@ -279,11 +277,9 @@ void resolveWhenRequestContainsTwoAccessTokenFormParametersAndSupportIsDisabledT // gh-16038 @Test - void resolveWhenRequestContainsTwoAccessTokenQueryParameterAndSupportIsDisabledThenTokenIsNotResolved() { - this.resolver.setAllowUriQueryParameter(false); + void resolveWhenRequestContainsTwoAccessTokenQueryParametersAndSupportIsDisabledThenTokenIsNotResolved() { MockHttpServletRequest request = new MockHttpServletRequest(); request.setMethod("GET"); - request.setQueryString("access_token=" + TEST_TOKEN); request.addParameter("access_token", "token1", "token2"); assertThat(this.resolver.resolve(request)).isNull(); } diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java index 90be1a3b1be..f08b3af624a 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java @@ -222,7 +222,6 @@ void resolveWhenQueryParameterHasMultipleAccessTokensThenOAuth2AuthenticationExc // gh-16038 @Test void resoleWhenAllowUriQueryParameterIsFalseThenQueryParameterIsIgnored() { - this.converter.setAllowUriQueryParameter(false); MockServerHttpRequest.BaseBuilder request = MockServerHttpRequest.get("/") .queryParam("access_token", TEST_TOKEN); assertThat(convertToToken(request)).isNull(); From b6c49b5594df9752c1e87574aa8f74a5c531fe09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonah=20Kl=C3=B6ckner?= Date: Wed, 6 Nov 2024 08:52:40 +0100 Subject: [PATCH 5/8] add test case with 2 query parameters and support disabled gh-16038 --- .../ServerBearerTokenAuthenticationConverterTests.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java index f08b3af624a..a1a893e9fe8 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java @@ -227,6 +227,14 @@ void resoleWhenAllowUriQueryParameterIsFalseThenQueryParameterIsIgnored() { assertThat(convertToToken(request)).isNull(); } + // gh-16038 + @Test + void resolveWhenRequestContainsTwoAccessTokenQueryParametersAndSupportIsDisabledThenTokenIsNotResolved() { + MockServerHttpRequest.BaseBuilder request = MockServerHttpRequest.get("/") + .queryParam("access_token", TEST_TOKEN, TEST_TOKEN); + assertThat(convertToToken(request)).isNull(); + } + private BearerTokenAuthenticationToken convertToToken(MockServerHttpRequest.BaseBuilder request) { return convertToToken(request.build()); } From ac39cf78100488ffe3e14b2b5f91420befb8a29b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonah=20Kl=C3=B6ckner?= Date: Wed, 6 Nov 2024 08:53:50 +0100 Subject: [PATCH 6/8] remove redundant test case [same as resolveWhenQueryParameterIsPresentAndNotSupportedThenTokenIsNotResolved()] gh-16038 --- .../ServerBearerTokenAuthenticationConverterTests.java | 8 -------- 1 file changed, 8 deletions(-) diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java index a1a893e9fe8..dfe50abda3e 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java @@ -219,14 +219,6 @@ void resolveWhenQueryParameterHasMultipleAccessTokensThenOAuth2AuthenticationExc } - // gh-16038 - @Test - void resoleWhenAllowUriQueryParameterIsFalseThenQueryParameterIsIgnored() { - MockServerHttpRequest.BaseBuilder request = MockServerHttpRequest.get("/") - .queryParam("access_token", TEST_TOKEN); - assertThat(convertToToken(request)).isNull(); - } - // gh-16038 @Test void resolveWhenRequestContainsTwoAccessTokenQueryParametersAndSupportIsDisabledThenTokenIsNotResolved() { From b9ae6ef6586c0a55de5724a79472d08f267451cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonah=20Kl=C3=B6ckner?= Date: Wed, 6 Nov 2024 08:59:20 +0100 Subject: [PATCH 7/8] reformat gh-16038 --- .../ServerBearerTokenAuthenticationConverterTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java index dfe50abda3e..3e474018243 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java @@ -223,7 +223,7 @@ void resolveWhenQueryParameterHasMultipleAccessTokensThenOAuth2AuthenticationExc @Test void resolveWhenRequestContainsTwoAccessTokenQueryParametersAndSupportIsDisabledThenTokenIsNotResolved() { MockServerHttpRequest.BaseBuilder request = MockServerHttpRequest.get("/") - .queryParam("access_token", TEST_TOKEN, TEST_TOKEN); + .queryParam("access_token", TEST_TOKEN, TEST_TOKEN); assertThat(convertToToken(request)).isNull(); } From 94c0e349d3f7b1004016f56ffab867319c6c34d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonah=20Kl=C3=B6ckner?= Date: Wed, 6 Nov 2024 10:27:45 +0100 Subject: [PATCH 8/8] fix failing tests gh-16038 --- .../resource/OAuth2ResourceServerConfigurerTests.java | 3 +++ ...h2ResourceServerBeanDefinitionParserTests-JwkSetUri.xml | 7 ++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java index c247a6d7fed..f957cb0c492 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java @@ -1560,12 +1560,15 @@ static class JwkSetUriConfig { @Bean SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // @formatter:off + DefaultBearerTokenResolver defaultBearerTokenResolver = new DefaultBearerTokenResolver(); + defaultBearerTokenResolver.setAllowUriQueryParameter(true); http .authorizeRequests() .requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')") .anyRequest().authenticated() .and() .oauth2ResourceServer() + .bearerTokenResolver(defaultBearerTokenResolver) .jwt() .jwkSetUri(this.jwkSetUri); return http.build(); diff --git a/config/src/test/resources/org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParserTests-JwkSetUri.xml b/config/src/test/resources/org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParserTests-JwkSetUri.xml index 3f81363d270..aac12989e91 100644 --- a/config/src/test/resources/org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParserTests-JwkSetUri.xml +++ b/config/src/test/resources/org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParserTests-JwkSetUri.xml @@ -25,10 +25,15 @@ + + + + - +