check_token endpoint only accepts POST and no query strings

[#137401169] https://www.pivotaltracker.com/story/show/137401169

server/src/main/java/org/cloudfoundry/identity/uaa/oauth/CheckTokenEndpoint.java

@@ -18,6 +18,7 @@
 import org.cloudfoundry.identity.uaa.oauth.token.Claims;
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
 import org.springframework.beans.factory.InitializingBean;
+import org.springframework.http.HttpMethod;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.jwt.Jwt;
@@ -30,15 +31,21 @@
 import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
 import org.springframework.stereotype.Controller;
 import org.springframework.util.Assert;
+import org.springframework.web.HttpRequestMethodNotSupportedException;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.stream.Collectors;
 
+import static org.springframework.http.HttpStatus.NOT_ACCEPTABLE;
+import static org.springframework.util.StringUtils.hasText;
+import static org.springframework.web.bind.annotation.RequestMethod.POST;
+
 /**
  * Controller which decodes access tokens for clients who are not able to do so
  * (or where opaque token values are used).
@@ -61,9 +68,16 @@ public void afterPropertiesSet() throws Exception {
         Assert.notNull(resourceServerTokenServices, "tokenServices must be set");
     }
 
-    @RequestMapping(value = "/check_token")
+    @RequestMapping(value = "/check_token", method = POST)
     @ResponseBody
-    public Claims checkToken(@RequestParam("token") String value, @RequestParam(name = "scopes", required = false, defaultValue = "") List<String> scopes) {
+    public Claims checkToken(@RequestParam("token") String value,
+                             @RequestParam(name = "scopes", required = false, defaultValue = "") List<String> scopes,
+                             HttpServletRequest request) throws HttpRequestMethodNotSupportedException {
+
+        if (hasText(request.getQueryString())) {
+            logger.debug("Call to /oauth/token contains a query string. Aborting.");
+            throw new HttpRequestMethodNotSupportedException("POST");
+        }
 
         OAuth2AccessToken token = resourceServerTokenServices.readAccessToken(value);
         if (token == null) {
@@ -133,6 +147,24 @@ public int getHttpErrorCode() {
         return exceptionTranslator.translate(e400);
     }
 
+    @ExceptionHandler(HttpRequestMethodNotSupportedException.class)
+    public ResponseEntity<OAuth2Exception> handleMethodNotSupportedException(HttpRequestMethodNotSupportedException e) throws Exception {
+        logger.info("Handling error: " + e.getClass().getSimpleName() + ", " + e.getMessage());
+        ResponseEntity<OAuth2Exception> result =  exceptionTranslator.translate(e);
+        if (HttpMethod.POST.matches(e.getMethod())) {
+            OAuth2Exception cause = new OAuth2Exception("Parameters must be passed in the body of the request", result.getBody().getCause()) {
+                public String getOAuth2ErrorCode() {
+                    return "query_string_not_allowed";
+                }
+                public int getHttpErrorCode() {
+                    return NOT_ACCEPTABLE.value();
+                }
+            };
+            result = new ResponseEntity<>(cause, result.getHeaders(), NOT_ACCEPTABLE);
+        }
+        return result;
+    }
+
     @ExceptionHandler(InvalidScopeException.class)
     public ResponseEntity<OAuth2Exception> handleInvalidScopeException(Exception e) throws Exception {
         logger.info("Handling error: " + e.getClass().getSimpleName() + ", " + e.getMessage());