Skip to content

Commit 4c6fef8

Browse files
jacknie84sjohnr
jacknie84
authored and
sjohnr
committed
Fix error when Bearer token is requested with empty string
Issue gh-15885
1 parent 18129f3 commit 4c6fef8

File tree

4 files changed

+46
-2
lines changed

4 files changed

+46
-2
lines changed

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,11 @@ public String resolve(final HttpServletRequest request) {
6464
return authorizationHeaderToken;
6565
}
6666
if (parameterToken != null && isParameterTokenEnabledForRequest(request)) {
67+
if (!StringUtils.hasText(parameterToken)) {
68+
final BearerTokenError error = BearerTokenErrors
69+
.invalidRequest("The requested token parameter is an empty string");
70+
throw new OAuth2AuthenticationException(error);
71+
}
6772
return parameterToken;
6873
}
6974
return null;

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,11 @@ private String token(ServerHttpRequest request) {
7878
return authorizationHeaderToken;
7979
}
8080
if (parameterToken != null && isParameterTokenSupportedForRequest(request)) {
81+
if (!StringUtils.hasText(parameterToken)) {
82+
final BearerTokenError error = BearerTokenErrors
83+
.invalidRequest("The requested token parameter is an empty string");
84+
throw new OAuth2AuthenticationException(error);
85+
}
8186
return parameterToken;
8287
}
8388
return null;

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,11 @@
2121
import org.junit.jupiter.api.BeforeEach;
2222
import org.junit.jupiter.api.Test;
2323

24+
import org.springframework.http.HttpStatus;
2425
import org.springframework.mock.web.MockHttpServletRequest;
2526
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
27+
import org.springframework.security.oauth2.server.resource.BearerTokenError;
28+
import org.springframework.security.oauth2.server.resource.BearerTokenErrorCodes;
2629

2730
import static org.assertj.core.api.Assertions.assertThat;
2831
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -258,4 +261,35 @@ public void resolveWhenQueryParameterIsPresentAndNotSupportedThenTokenIsNotResol
258261
assertThat(this.resolver.resolve(request)).isNull();
259262
}
260263

264+
@Test
265+
public void resolveWhenQueryParameterIsPresentAndEmptyStringThenTokenIsNotResolved() {
266+
this.resolver.setAllowUriQueryParameter(true);
267+
MockHttpServletRequest request = new MockHttpServletRequest();
268+
request.setMethod("GET");
269+
request.addParameter("access_token", "");
270+
assertThatExceptionOfType(OAuth2AuthenticationException.class).isThrownBy(() -> this.resolver.resolve(request))
271+
.withMessageContaining("The requested token parameter is an empty string")
272+
.satisfies((e) -> {
273+
BearerTokenError error = (BearerTokenError) e.getError();
274+
assertThat(error.getErrorCode()).isEqualTo(BearerTokenErrorCodes.INVALID_REQUEST);
275+
assertThat(error.getHttpStatus()).isEqualTo(HttpStatus.BAD_REQUEST);
276+
});
277+
}
278+
279+
@Test
280+
public void resolveWhenFormParameterIsPresentAndEmptyStringThenTokenIsNotResolved() {
281+
this.resolver.setAllowFormEncodedBodyParameter(true);
282+
MockHttpServletRequest request = new MockHttpServletRequest();
283+
request.setMethod("POST");
284+
request.setContentType("application/x-www-form-urlencoded");
285+
request.addParameter("access_token", "");
286+
assertThatExceptionOfType(OAuth2AuthenticationException.class).isThrownBy(() -> this.resolver.resolve(request))
287+
.withMessageContaining("The requested token parameter is an empty string")
288+
.satisfies((e) -> {
289+
BearerTokenError error = (BearerTokenError) e.getError();
290+
assertThat(error.getErrorCode()).isEqualTo(BearerTokenErrorCodes.INVALID_REQUEST);
291+
assertThat(error.getHttpStatus()).isEqualTo(HttpStatus.BAD_REQUEST);
292+
});
293+
}
294+
261295
}

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverterTests.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -187,9 +187,9 @@ public void resolveWhenQueryParameterIsEmptyAndSupportedThenOAuth2Authentication
187187
.isThrownBy(() -> convertToToken(request))
188188
.satisfies((ex) -> {
189189
BearerTokenError error = (BearerTokenError) ex.getError();
190-
assertThat(error.getErrorCode()).isEqualTo(BearerTokenErrorCodes.INVALID_TOKEN);
190+
assertThat(error.getErrorCode()).isEqualTo(BearerTokenErrorCodes.INVALID_REQUEST);
191191
assertThat(error.getUri()).isEqualTo("https://tools.ietf.org/html/rfc6750#section-3.1");
192-
assertThat(error.getHttpStatus()).isEqualTo(HttpStatus.UNAUTHORIZED);
192+
assertThat(error.getHttpStatus()).isEqualTo(HttpStatus.BAD_REQUEST);
193193
});
194194
// @formatter:on
195195
}

0 commit comments

Comments
 (0)