Save Request Before Response Is Committed

o1i0 · jzheaux · commit 52c7141aac75 · 2022-11-30T14:33:08.000-07:00
Specifically important for cookie-based authorization request repositories. Closes gh-11602
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java
@@ -192,8 +192,8 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 					if (authorizationRequest == null) {
 						throw authzEx;
 					}
-					this.sendRedirectForAuthorization(request, response, authorizationRequest);
 					this.requestCache.saveRequest(request, response);
+					this.sendRedirectForAuthorization(request, response, authorizationRequest);
 				}
 				catch (Exception failed) {
 					this.unsuccessfulRedirectForAuthorization(request, response, failed);
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java
@@ -48,6 +48,7 @@
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
+import static org.mockito.BDDMockito.willAnswer;
 import static org.mockito.BDDMockito.willThrow;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.times;
@@ -333,4 +334,22 @@ public void doFilterWhenAuthorizationRequestAndCustomAuthorizationRequestUriSetT
 				+ "login_hint=user@provider\\.com");
 	}
 
+	// gh-11602
+
+	@Test
+	public void doFilterWhenNotAuthorizationRequestAndClientAuthorizationRequiredExceptionThrownThenSaveRequestBeforeCommitted()
+			throws Exception {
+		String requestUri = "/path";
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
+		request.setServletPath(requestUri);
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		FilterChain filterChain = mock(FilterChain.class);
+		willAnswer((invocation) -> assertThat((invocation.<HttpServletResponse>getArgument(1)).isCommitted()).isFalse())
+				.given(this.requestCache).saveRequest(any(HttpServletRequest.class), any(HttpServletResponse.class));
+		willThrow(new ClientAuthorizationRequiredException(this.registration1.getRegistrationId())).given(filterChain)
+				.doFilter(any(ServletRequest.class), any(ServletResponse.class));
+		this.filter.doFilter(request, response, filterChain);
+		assertThat(response.isCommitted()).isTrue();
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -192,8 +192,8 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse`
`192`	`192`	`if (authorizationRequest == null) {`
`193`	`193`	`throw authzEx;`
`194`	`194`	`}`
`195`		`- this.sendRedirectForAuthorization(request, response, authorizationRequest);`
`196`	`195`	`this.requestCache.saveRequest(request, response);`
	`196`	`+ this.sendRedirectForAuthorization(request, response, authorizationRequest);`
`197`	`197`	`}`
`198`	`198`	`catch (Exception failed) {`
`199`	`199`	`this.unsuccessfulRedirectForAuthorization(request, response, failed);`