Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DefaultOAuth2AuthorizationRequestResolver erroneously consumes POST request body #8650

Closed
eamelink opened this issue Jun 4, 2020 · 1 comment
Closed

DefaultOAuth2AuthorizationRequestResolver erroneously consumes POST request body #8650

eamelink opened this issue Jun 4, 2020 · 1 comment
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Milestone
5.4.0-M2

Comments

@eamelink
Copy link
Contributor

eamelink commented Jun 4, 2020

Describe the bug
DefaultOAuth2AuthorizationRequestResolver consumes the request body, by calling getParameter on the request, even if the request doesn't match the authorization request base uri.

The bug is in resolve(HttpServletRequest request) method, which calls getAction, even if the registrationId is null.

To Reproduce
Create a filterchain with DefaultOAuth2AuthorizationRequestResolver in it. Send a POST request with a body. Observe that in the servlet, the request body appears to be empty.

Expected behavior
I expect that the body doesn't appear to be empty.

Sample
No sample, but I'm adding a PR with a test.
@eamelink eamelink added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jun 4, 2020
eamelink added a commit to eamelink/spring-security that referenced this issue Jun 4, 2020
@eamelink
Don't consume request body. Fixes spring-projectsgh-8650
69685a8 
Per the servlet spec, getParameter(name) consumes the request body for POST requests. This commit prevents DefaultOAuth2AuthorizationRequestResolver from consuming the request body for non-Authorization requests.
@eamelink eamelink mentioned this issue Jun 4, 2020
Closed
@eamelink
Copy link
Contributor Author

eamelink commented Jun 4, 2020

OAuth2AuthorizationCodeGrantFilter has a similar issue.

@jzheaux jzheaux closed this as completed in cd3fd67 Jun 5, 2020
jzheaux added a commit that referenced this issue Jun 5, 2020
@jzheaux
Add Ticket Number to Test
1d821a2 
Issue gh-8650
@jzheaux jzheaux removed the status: waiting-for-triage An issue we've not yet triaged label Jun 9, 2020
@jzheaux jzheaux added this to the 5.4.0-M2 milestone Jun 9, 2020
@jzheaux jzheaux added the in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) label Jun 9, 2020
@jzheaux jzheaux self-assigned this Jun 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Projects
None yet
Milestone
5.4.0-M2
Development

Successfully merging a pull request may close this issue.

DefaultOAuth2AuthorizationRequestResolver Should Not Consume Request Body eamelink/spring-security
2 participants
@eamelink @jzheaux