Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RequestCacheSpec not used on RedirectServerAuthenticationEntryPoint for OAuth2LoginSpec.configure #7721

Closed
sdoxsee opened this issue Dec 11, 2019 · 1 comment · Fixed by #7734
Closed

RequestCacheSpec not used on RedirectServerAuthenticationEntryPoint for OAuth2LoginSpec.configure #7721

sdoxsee opened this issue Dec 11, 2019 · 1 comment · Fixed by #7734
Assignees
@fhanik
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.3.0.M1

Comments

@sdoxsee
Copy link
Contributor

sdoxsee commented Dec 11, 2019
edited

Summary

The RequestCache set in the RequestCacheSpec is not used on RedirectServerAuthenticationEntryPoint for OAuth2LoginSpec.configure

Actual Behavior

From ServerHttpSecurity

public class OAuth2LoginSpec {

        //...

	protected void configure(ServerHttpSecurity http) {

                //...

		oauthRedirectFilter.setRequestCache(http.requestCache.requestCache);

                //...

		MediaTypeServerWebExchangeMatcher htmlMatcher = new MediaTypeServerWebExchangeMatcher(
				MediaType.TEXT_HTML);
		htmlMatcher.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));
		Map<String, String> urlToText = http.oauth2Login.getLinks();
		if (urlToText.size() == 1) {
			http.defaultEntryPoints.add(new DelegateEntry(htmlMatcher, new RedirectServerAuthenticationEntryPoint(urlToText.keySet().iterator().next())));
		} else {
			http.defaultEntryPoints.add(new DelegateEntry(htmlMatcher, new RedirectServerAuthenticationEntryPoint("/login")));
		}

		http.addFilterAt(oauthRedirectFilter, SecurityWebFiltersOrder.HTTP_BASIC);
		http.addFilterAt(authenticationFilter, SecurityWebFiltersOrder.AUTHENTICATION);
	}

RedirectServerAuthenticationEntryPoint's RequestCache remains the default WebSessionServerRequestCache rather than the one set on the RequestCacheSpec for ServerHttpSecurity

Expected Behavior

I would think that RedirectServerAuthenticationEntryPoint should use the RequestCacheSpec's RequestCache

Configuration

See sample below

Version

Spring Security 5.2.1

Sample

See README and sample code on https://github.com/sdoxsee/gateway-sample
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 11, 2019
@fhanik fhanik added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 12, 2019
@fhanik fhanik added this to the 5.3.0.M1 milestone Dec 12, 2019
@fhanik fhanik added the status: waiting-for-triage An issue we've not yet triaged label Dec 12, 2019
@fhanik fhanik self-assigned this Dec 12, 2019
@fhanik fhanik removed the status: waiting-for-triage An issue we've not yet triaged label Dec 12, 2019
@fhanik fhanik mentioned this issue Dec 12, 2019
Merged
@fhanik fhanik added the in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) label Dec 12, 2019
fhanik added a commit to fhanik/spring-security that referenced this issue Dec 17, 2019
@fhanik
Use the custom ServerRequestCache that the user configures
9537306 
on for the default authentication entry point and authentication
success handler

Fixes spring-projectsgh-7721

spring-projects#7721

Set RequestCache on the Oauth2LoginSpec default authentication success handler

import static ReflectionTestUtils.getField

Feedback incorporated per

spring-projects#7734 (review)
@fhanik fhanik added the for: backport-to-5.2.x Designates an issue for backport to 5.2.x label Dec 17, 2019
@spring-projects-issues spring-projects-issues added status: backported An issue that has been backported to maintenance branches and removed for: backport-to-5.2.x Designates an issue for backport to 5.2.x labels Dec 17, 2019
Closed
fhanik added a commit that referenced this issue Dec 17, 2019
@fhanik
Use the custom ServerRequestCache that the user configures
9aa333c 
on for the default authentication entry point and authentication
success handler

Fixes gh-7721

#7721

Set RequestCache on the Oauth2LoginSpec default authentication success handler

import static ReflectionTestUtils.getField

Feedback incorporated per

#7734 (review)
@sdoxsee
Copy link
Contributor Author

sdoxsee commented Dec 17, 2019

Thanks @fhanik!

fhanik added a commit to fhanik/spring-security that referenced this issue Dec 18, 2019
@fhanik
Use the custom ServerRequestCache that the user configures
32a131c 
on for the default authentication entry point and authentication
success handler

Fixes spring-projectsgh-7721

spring-projects#7721

Set RequestCache on the Oauth2LoginSpec default authentication success handler

import static ReflectionTestUtils.getField

Feedback incorporated per

spring-projects#7734 (review)
@fhanik fhanik mentioned this issue Dec 18, 2019
Merged
fhanik added a commit that referenced this issue Dec 18, 2019
@fhanik
Use the custom ServerRequestCache that the user configures
b754a3d 
on for the default authentication entry point and authentication
success handler

Fixes gh-7721

#7721

Set RequestCache on the Oauth2LoginSpec default authentication success handler

import static ReflectionTestUtils.getField

Feedback incorporated per

#7734 (review)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fhanik fhanik

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.3.0.M1
Development

Successfully merging a pull request may close this issue.

Use the custom ServerRequestCache for Oauth2LoginSpec fhanik/spring-security
3 participants
@fhanik @sdoxsee @spring-projects-issues