Skip to content

Commit

Permalink
Accept a case-insensitive "Bearer" keyword
Browse files Browse the repository at this point in the history 
The Authorization header was matched for OAuth2
against the "Bearer" keyword in a case sensitive
fashion.
According to RFC 2617, it should be case insensitive
and some oauth clients (including some earlier
versions of spring-security) expect it so.

This is the reactive counterpart to commit
63f2b60 .

Fixes gh-6195
  • Loading branch information
@nlebas
nlebas committed Dec 2, 2018
1 parent 60fc538 commit ba8a337
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 2 deletions.
6 changes: 4 additions & 2 deletions .../security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,9 @@
*/
public class ServerBearerTokenAuthenticationConverter
implements ServerAuthenticationConverter {
private static final Pattern authorizationPattern = Pattern.compile("^Bearer (?<token>[a-zA-Z0-9-._~+/]+)=*$");
private static final Pattern authorizationPattern = Pattern.compile(
"^Bearer (?<token>[a-zA-Z0-9-._~+/]+)=*$",
Pattern.CASE_INSENSITIVE);

private boolean allowUriQueryParameter = false;

Expand Down Expand Up @@ -85,7 +87,7 @@ public void setAllowUriQueryParameter(boolean allowUriQueryParameter) {

private static String resolveFromAuthorizationHeader(HttpHeaders headers) {
String authorization = headers.getFirst(HttpHeaders.AUTHORIZATION);
if (StringUtils.hasText(authorization) && authorization.startsWith("Bearer")) {
if (StringUtils.startsWithIgnoreCase(authorization, "bearer")) {
Matcher matcher = authorizationPattern.matcher(authorization);

if ( !matcher.matches() ) {
Expand Down
9 changes: 9 additions & 0 deletions ...rity/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,15 @@ public void resolveWhenValidHeaderIsPresentThenTokenIsResolved() {
assertThat(convertToToken(request).getToken()).isEqualTo(TEST_TOKEN);
}

@Test
public void resolveWhenLowercaseHeaderIsPresentThenTokenIsResolved() {
MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest
.get("/")
.header(HttpHeaders.AUTHORIZATION, "bearer " + TEST_TOKEN);

assertThat(convertToToken(request).getToken()).isEqualTo(TEST_TOKEN);
}

@Test
public void resolveWhenNoHeaderIsPresentThenTokenIsNotResolved() {
MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest
Expand Down

0 comments on commit ba8a337

Please sign in to comment.