Skip to content

Commit

Permalink
Fix error when Bearer token is requested with empty string
Browse files Browse the repository at this point in the history 
Issue gh-15885
  • Loading branch information
@jacknie84 @sjohnr
jacknie84 authored and sjohnr committed Nov 4, 2024
1 parent 18129f3 commit 4c6fef8
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 2 deletions.
5 changes: 5 additions & 0 deletions ...a/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,11 @@ public String resolve(final HttpServletRequest request) {
return authorizationHeaderToken;
}
if (parameterToken != null && isParameterTokenEnabledForRequest(request)) {
if (!StringUtils.hasText(parameterToken)) {
final BearerTokenError error = BearerTokenErrors
.invalidRequest("The requested token parameter is an empty string");
throw new OAuth2AuthenticationException(error);
}
return parameterToken;
}
return null;
Expand Down
5 changes: 5 additions & 0 deletions ...2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,11 @@ private String token(ServerHttpRequest request) {
return authorizationHeaderToken;
}
if (parameterToken != null && isParameterTokenSupportedForRequest(request)) {
if (!StringUtils.hasText(parameterToken)) {
final BearerTokenError error = BearerTokenErrors
.invalidRequest("The requested token parameter is an empty string");
throw new OAuth2AuthenticationException(error);
}
return parameterToken;
}
return null;
Expand Down
34 changes: 34 additions & 0 deletions .../springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,11 @@
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

import org.springframework.http.HttpStatus;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.server.resource.BearerTokenError;
import org.springframework.security.oauth2.server.resource.BearerTokenErrorCodes;

import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
Expand Down Expand Up @@ -258,4 +261,35 @@ public void resolveWhenQueryParameterIsPresentAndNotSupportedThenTokenIsNotResol
assertThat(this.resolver.resolve(request)).isNull();
}

@Test
public void resolveWhenQueryParameterIsPresentAndEmptyStringThenTokenIsNotResolved() {
this.resolver.setAllowUriQueryParameter(true);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setMethod("GET");
request.addParameter("access_token", "");
assertThatExceptionOfType(OAuth2AuthenticationException.class).isThrownBy(() -> this.resolver.resolve(request))
.withMessageContaining("The requested token parameter is an empty string")
.satisfies((e) -> {
BearerTokenError error = (BearerTokenError) e.getError();
assertThat(error.getErrorCode()).isEqualTo(BearerTokenErrorCodes.INVALID_REQUEST);
assertThat(error.getHttpStatus()).isEqualTo(HttpStatus.BAD_REQUEST);
});
}

@Test
public void resolveWhenFormParameterIsPresentAndEmptyStringThenTokenIsNotResolved() {
this.resolver.setAllowFormEncodedBodyParameter(true);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setMethod("POST");
request.setContentType("application/x-www-form-urlencoded");
request.addParameter("access_token", "");
assertThatExceptionOfType(OAuth2AuthenticationException.class).isThrownBy(() -> this.resolver.resolve(request))
.withMessageContaining("The requested token parameter is an empty string")
.satisfies((e) -> {
BearerTokenError error = (BearerTokenError) e.getError();
assertThat(error.getErrorCode()).isEqualTo(BearerTokenErrorCodes.INVALID_REQUEST);
assertThat(error.getHttpStatus()).isEqualTo(HttpStatus.BAD_REQUEST);
});
}

}
4 changes: 2 additions & 2 deletions ...ver/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -187,9 +187,9 @@ public void resolveWhenQueryParameterIsEmptyAndSupportedThenOAuth2Authentication
.isThrownBy(() -> convertToToken(request))
.satisfies((ex) -> {
BearerTokenError error = (BearerTokenError) ex.getError();
assertThat(error.getErrorCode()).isEqualTo(BearerTokenErrorCodes.INVALID_TOKEN);
assertThat(error.getErrorCode()).isEqualTo(BearerTokenErrorCodes.INVALID_REQUEST);
assertThat(error.getUri()).isEqualTo("https://tools.ietf.org/html/rfc6750#section-3.1");
assertThat(error.getHttpStatus()).isEqualTo(HttpStatus.UNAUTHORIZED);
assertThat(error.getHttpStatus()).isEqualTo(HttpStatus.BAD_REQUEST);
});
// @formatter:on
}
Expand Down

0 comments on commit 4c6fef8

Please sign in to comment.