Skip to content

ServerBearerTokenAuthenticationConverter Handles Empty Tokens #7020

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 24, 2019
Merged

ServerBearerTokenAuthenticationConverter Handles Empty Tokens #7020

merged 1 commit into from
Jun 24, 2019

Conversation

rwinch
Copy link
Member

@rwinch rwinch commented Jun 19, 2019
edited
Loading

ServerBearerTokenAuthenticationConverter Handles Empty Tokens

Previously ServerBearerTokenAuthenticationConverter would throw an
IllegalArgumentException when the access token in a URI was empty String.
It also incorrectly provided HttpStatus.BAD_REQUEST for an empty String
access token in the headers.

This changes ServerBearerTokenAuthenticationConverter to consistently
throw a OAuth2AuthenticationException with an HttpStatus.UNAUTHORIZED

Fixes gh-7011

@rwinch
ServerBearerTokenAuthenticationConverter Handles Empty Tokens
fe97325 
Previously ServerBearerTokenAuthenticationConverter would throw an
IllegalArgumentException when the access token in a URI was empty String.
It also incorrectly provided HttpStatus.BAD_REQUEST for an empty String
access token in the headers.

This changes ServerBearerTokenAuthenticationConverter to consistently
throw a OAuth2AuthenticationException with an HttpStatus.UNAUTHORIZED

Fixes spring-projectsgh-7011
@rwinch rwinch force-pushed the gh-7011-empty-bearer-token branch from d105f15 to fe97325 Compare June 19, 2019 14:16
@rwinch rwinch changed the title <!-- For Security Vulnerabilities, please use https://pivotal.io/security#reporting --> ServerBearerTokenAuthenticationConverter Handles Empty Tokens Jun 19, 2019
@rwinch rwinch requested a review from jzheaux June 19, 2019 14:18
@rwinch rwinch added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: bug A general bug labels Jun 19, 2019
@rwinch rwinch added this to the 5.2.0.RC1 milestone Jun 19, 2019
@rwinch
Copy link
Member Author

rwinch commented Jun 19, 2019
edited
Loading

@jzheaux Can you please review this? Once this is ready for merge, can you also backport to 5.1.x to resolve gh-7021?

@bhavikkumar bhavikkumar mentioned this pull request Jun 19, 2019
Closed
@jzheaux jzheaux merged commit 6f5a443 into spring-projects:master Jun 24, 2019
jzheaux
jzheaux reviewed Jun 24, 2019
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me - thanks, @rwinch, this is now merged into master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux left review comments

Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
5.2.0.M4
Development

Successfully merging this pull request may close these issues.

Reactive OAuth2 using query parameters for access_token can cause HTTP 500s
2 participants
@rwinch @jzheaux