DefaultLoginPageGeneratingFilter escapes OAuth2 ClientRegistrations
Fixes gh-5394
This commit is contained in:
@@ -15,6 +15,16 @@
|
||||
*/
|
||||
package org.springframework.security.web.authentication;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.mockito.Mockito.mock;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.Locale;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.springframework.context.support.MessageSourceAccessor;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
@@ -26,15 +36,6 @@ import org.springframework.security.core.SpringSecurityMessageSource;
|
||||
import org.springframework.security.web.WebAttributes;
|
||||
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.util.Collections;
|
||||
import java.util.Locale;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.mockito.Mockito.mock;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Luke Taylor
|
||||
@@ -187,4 +188,21 @@ public class DefaultLoginPageGeneratingFilterTests {
|
||||
|
||||
filter.doFilter(request, new MockHttpServletResponse(), chain);
|
||||
}
|
||||
|
||||
// gh-5394
|
||||
@Test
|
||||
public void generatesForOAuth2LoginAndEscapesClientName() throws Exception {
|
||||
DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter();
|
||||
filter.setLoginPageUrl(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL);
|
||||
filter.setOauth2LoginEnabled(true);
|
||||
|
||||
String clientName = "Google < > \" \' &";
|
||||
filter.setOauth2AuthenticationUrlToClientName(
|
||||
Collections.singletonMap("/oauth2/authorization/google", clientName));
|
||||
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
filter.doFilter(new MockHttpServletRequest("GET", "/login"), response, chain);
|
||||
|
||||
assertThat(response.getContentAsString()).contains("<a href=\"/oauth2/authorization/google\">Google < > " ' &</a>");
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user