From 89523fb08585754233a81302d9877722afe37976 Mon Sep 17 00:00:00 2001
From: Mike Roda <m2roda@gmail.com>
Date: Mon, 22 May 2023 07:19:59 -0400
Subject: [PATCH]  fix: exclude unsupported response types in exception (#2329)

* fix: exclude unsupported response types in exception

- avoid logging or echoing unsantized input from the request
- this mirrors the change made to AuthorizationEndpoint in
spring-security-oauth2 2.5.2.RELEASE, see:
https://github.com/spring-attic/spring-security-oauth/commit/2b58aafecac336e82f20ea43da9b208b0a4a40dd

Change-Id: Id93034bc69355fcf988c56827fa65c70338694cf

* fix: allow bearer or Bearer for Authentication header

- apparently the whitespace is being trimmed off by spring in the xml
so the request matcher isn't doing a case insensitive comparison when
the header value is Bearer

Change-Id: I0f93cc2a0ebf364560687c4e57887a100753dd2d
---
 .../identity/uaa/oauth/UaaAuthorizationEndpoint.java            | 2 +-
 .../identity/uaa/security/web/UaaRequestMatcher.java            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaAuthorizationEndpoint.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaAuthorizationEndpoint.java
index 7164ede5225..fa1d1494653 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaAuthorizationEndpoint.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaAuthorizationEndpoint.java
@@ -182,7 +182,7 @@ public ModelAndView authorize(Map<String, Object> model,
         String grantType = deriveGrantTypeFromResponseType(responseTypes);
 
         if (!supported_response_types.containsAll(responseTypes)) {
-            throw new UnsupportedResponseTypeException("Unsupported response types: " + responseTypes);
+            throw new UnsupportedResponseTypeException("Unsupported response types");
         }
 
         if (authorizationRequest.getClientId() == null) {
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/UaaRequestMatcher.java b/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/UaaRequestMatcher.java
index d5d83da2fda..089d663a7f2 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/UaaRequestMatcher.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/UaaRequestMatcher.java
@@ -135,7 +135,7 @@ else if (!matchesHeader(requestValue, expectedHeaderEntry.getValue())) {
 
     private boolean matchesHeader(String requestValue, List<String> expectedValues) {
         for (String headerValue : expectedValues) {
-            if ("bearer ".equalsIgnoreCase(headerValue)) {
+            if ("bearer".equalsIgnoreCase(headerValue.trim())) {
                 //case insensitive for Authorization: Bearer match
                 if (requestValue == null || !requestValue.toLowerCase().startsWith(headerValue)) {
                     return false;