diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java index eb1dcb94a..c5f681300 100644 --- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java +++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java @@ -43,7 +43,7 @@ public class DefaultRedirectResolver implements RedirectResolver { private Collection redirectGrantTypes = Arrays.asList("implicit", "authorization_code"); - private boolean matchSubdomains = true; + private boolean matchSubdomains = false; private boolean matchPorts = true; diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/SubdomainRedirectResolverTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/SubdomainRedirectResolverTests.java index 0f2f37196..0265cae24 100644 --- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/SubdomainRedirectResolverTests.java +++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/SubdomainRedirectResolverTests.java @@ -7,6 +7,7 @@ import java.util.HashSet; import java.util.Set; +import org.junit.Before; import org.junit.Test; import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException; import org.springframework.security.oauth2.provider.client.BaseClientDetails; @@ -14,17 +15,22 @@ public class SubdomainRedirectResolverTests { - private final DefaultRedirectResolver resolver = new DefaultRedirectResolver(); + private DefaultRedirectResolver resolver; private final BaseClientDetails client = new BaseClientDetails(); { client.setAuthorizedGrantTypes(Collections.singleton("authorization_code")); } + @Before + public void setup() { + resolver = new DefaultRedirectResolver(); + } @Test public void testRedirectMatch() throws Exception { + resolver.setMatchSubdomains(true); Set redirectUris = new HashSet(Arrays.asList("http://watchdox.com")); client.setRegisteredRedirectUri(redirectUris); String requestedRedirect = "http://anywhere.watchdox.com"; diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java index 34c52caee..fda7d8ea6 100644 --- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java +++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java @@ -135,12 +135,20 @@ public void testRedirectNotMatchingSubdomain() throws Exception { // gh-747 @Test public void testRedirectMatchingSubdomain() throws Exception { + resolver.setMatchSubdomains(true); Set redirectUris = new HashSet(Arrays.asList("http://anywhere.com/foo")); String requestedRedirect = "http://2.anywhere.com/foo"; client.setRegisteredRedirectUri(redirectUris); assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client)); } + @Test(expected = RedirectMismatchException.class) + public void testRedirectMatchSubdomainsDefaultsFalse() { + Set redirectUris = new HashSet(Arrays.asList("https://anywhere.com")); + client.setRegisteredRedirectUri(redirectUris); + resolver.resolveRedirect("https://2.anywhere.com", client); + } + // gh-746 @Test(expected = RedirectMismatchException.class) public void testRedirectNotMatchingPort() throws Exception {