Spring Security OAuth
  1. Spring Security OAuth
  2. SECOAUTH-409

OAuth2ClientContextFilter throws IllegalArgumentException for invalid query parameters

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Complete
    • Affects Version/s: 1.0.2
    • Fix Version/s: 2.0.0
    • Component/s: OAuth 2
    • Labels:
      None

      Description

      If the OAuth2ClientContextFilter is installed in a spring security filter chain, it throws IllegalArgumentException when any query string is invalid (can't be parsed by org.springframework.web.util.UriComponents.) Even requests which will not be involved in oauth2 cannot pass through the filter.

      It may depend on the servlet container but tomcat (7.x) does allow requests to be handled by a servlet even if portions of the url (query string) are invalid. If the OAuth2ClientContextFilter is installed, the requests cannot be handled because of the IllegalArgumentException.

      Example Stack Trace:
      java.lang.IllegalArgumentException: Invalid character '"' for QUERY_PARAM in "nirv"%20onmouseover"
      org.​springframework.​web.​util.​UriComponents.​verifyUriComponent(​UriComponents.​java:373)
      org.springframework.web.util.UriComponents.verify(UriComponents.java:341)
      org.springframework.web.util.UriComponents.<init>(UriComponents.java:105)
      org.​springframework.​web.​util.​UriComponentsBuilder.​build(​UriComponentsBuilder.​java:222)
      org.​springframework.​security.​oauth2.​client.​filter.​OAuth2ClientContextFilter.​calculateCurrentUri(OAuth2ClientContextFilter.java:130)
      org.​springframework.​security.​oauth2.​client.​filter.​OAuth2ClientContextFilter.​doFilter(OAuth2ClientContextFilter.java:54)
      org.​springframework.​security.​web.​FilterChainProxy$​VirtualFilterChain.​doFilter(​FilterChainProxy.java:323)

      A proposed fix would be to catch the IllegalArgumentException in OAuth2ClientContextFilter.calculateCurrentUri and return null.

        Activity

        Hide
        Casey Lucas added a comment -

        I fixed this and added a test case. Pull request: https://github.com/SpringSource/spring-security-oauth/pull/77

        Show
        Casey Lucas added a comment - I fixed this and added a test case. Pull request: https://github.com/SpringSource/spring-security-oauth/pull/77
        Hide
        Dave Syer added a comment -

        Merged, thanks.

        Show
        Dave Syer added a comment - Merged, thanks.

          People

          • Assignee:
            Dave Syer
            Reporter:
            Casey Lucas
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: