Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

SECOAUTH-359: check for missing grant type in TokenEndpoint

  • Loading branch information...
commit 421338ece0866cb3a616c802cd321d31d4a27e84 1 parent 393e7e6
@dsyer dsyer authored
View
14 ...parklr/src/test/java/org/springframework/security/oauth2/provider/TestResourceOwnerPasswordProvider.java
@@ -16,6 +16,7 @@
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.http.client.ClientHttpResponse;
+import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.oauth2.client.test.BeforeOAuth2Context;
import org.springframework.security.oauth2.client.test.OAuth2ContextConfiguration;
import org.springframework.security.oauth2.client.test.OAuth2ContextSetup;
@@ -204,6 +205,19 @@ public void testUnsupportedMediaTypeWithInvalidToken() throws Exception {
assertEquals(HttpStatus.NOT_ACCEPTABLE, serverRunning.getStatusCode("/sparklr2/photos/user/message", headers));
}
+ /**
+ * tests that we get the correct error response if the media type is unacceptable.
+ */
+ @Test
+ public void testMissingGrantType() throws Exception {
+ HttpHeaders headers = new HttpHeaders();
+ headers.set("Authorization", String.format("Basic %s", new String(Base64.encode("my-trusted-client:".getBytes()))));
+ headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));
+ ResponseEntity<String> response = serverRunning.getForString("/sparklr2/oauth/token", headers);
+ assertEquals(HttpStatus.BAD_REQUEST, response.getStatusCode());
+ assertTrue(response.getBody().contains("invalid_request"));
+ }
+
static class ResourceOwner extends ResourceOwnerPasswordResourceDetails {
public ResourceOwner(Object target) {
setClientId("my-trusted-client");
View
9 ...g-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpoint.java
@@ -28,11 +28,13 @@
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.BadClientCredentialsException;
+import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.common.exceptions.UnsupportedGrantTypeException;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.DefaultAuthorizationRequest;
import org.springframework.security.oauth2.provider.NoSuchClientException;
+import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
@@ -60,7 +62,8 @@
@RequestMapping
public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal,
- @RequestParam("grant_type") String grantType, @RequestParam Map<String, String> parameters) {
+ @RequestParam(value = "grant_type", required = false) String grantType,
+ @RequestParam Map<String, String> parameters) {
if (!(principal instanceof Authentication)) {
throw new InsufficientAuthenticationException(
@@ -75,6 +78,10 @@
String clientId = client.getName();
request.put("client_id", clientId);
+ if (!StringUtils.hasText(grantType)) {
+ throw new InvalidRequestException("Missing grant type");
+ }
+
getAuthorizationRequestManager().validateParameters(parameters,
getClientDetailsService().loadClientByClientId(clientId));
Please sign in to comment.
Something went wrong with that request. Please try again.