From b1656be3d094677e666520acae44584a2c4abaf1 Mon Sep 17 00:00:00 2001
From: Phillip Webb <pwebb@pivotal.io>
Date: Tue, 12 Apr 2016 14:32:31 -0700
Subject: [PATCH 1/2] Fix possible binder IndexOutOfBoundsException

Update RelaxedDataBinder.extendCollectionIfNecessary to use the current
index when checking if the path node is an array.

Fixes gh-5635
---
 .../boot/bind/RelaxedDataBinder.java          |  4 ++--
 .../boot/bind/RelaxedDataBinderTests.java     | 24 ++++++++++++++++++-
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/spring-boot/src/main/java/org/springframework/boot/bind/RelaxedDataBinder.java b/spring-boot/src/main/java/org/springframework/boot/bind/RelaxedDataBinder.java
index cc3553a4b32..44ba7ae7ee0 100644
--- a/spring-boot/src/main/java/org/springframework/boot/bind/RelaxedDataBinder.java
+++ b/spring-boot/src/main/java/org/springframework/boot/bind/RelaxedDataBinder.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2015 the original author or authors.
+ * Copyright 2012-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -343,7 +343,7 @@ public class RelaxedDataBinder extends DataBinder {
 			return;
 		}
 		Object extend = new LinkedHashMap<String, Object>();
-		if (!elementDescriptor.isMap() && path.isArrayIndex(index + 1)) {
+		if (!elementDescriptor.isMap() && path.isArrayIndex(index)) {
 			extend = new ArrayList<Object>();
 		}
 		wrapper.setPropertyValue(path.prefix(index + 1), extend);
diff --git a/spring-boot/src/test/java/org/springframework/boot/bind/RelaxedDataBinderTests.java b/spring-boot/src/test/java/org/springframework/boot/bind/RelaxedDataBinderTests.java
index 5e035e7e107..dad4835a643 100644
--- a/spring-boot/src/test/java/org/springframework/boot/bind/RelaxedDataBinderTests.java
+++ b/spring-boot/src/test/java/org/springframework/boot/bind/RelaxedDataBinderTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2015 the original author or authors.
+ * Copyright 2012-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -648,6 +648,16 @@ public class RelaxedDataBinderTests {
 		assertEquals("boo", target.getFooBaz());
 	}
 
+	@Test
+	public void testIndexBounds() throws Exception {
+		VanillaTarget target = new VanillaTarget();
+		RelaxedDataBinder binder = getBinder(target, "test");
+		MutablePropertyValues values = new MutablePropertyValues();
+		values.add("test.objects[0]", "teststring");
+		binder.bind(values);
+		assertEquals("teststring", target.getObjects().get(0));
+	}
+
 	private void doTestBindCaseInsensitiveEnums(VanillaTarget target) throws Exception {
 		BindingResult result = bind(target, "bingo: THIS");
 		assertThat(result.getErrorCount(), equalTo(0));
@@ -1006,6 +1016,8 @@ public class RelaxedDataBinderTests {
 
 		private List<Bingo> bingos;
 
+		private List<Object> objects;
+
 		public char[] getBar() {
 			return this.bar;
 		}
@@ -1061,6 +1073,15 @@ public class RelaxedDataBinderTests {
 		public void setBingos(List<Bingo> bingos) {
 			this.bingos = bingos;
 		}
+
+		public List<Object> getObjects() {
+			return this.objects;
+		}
+
+		public void setObjects(List<Object> objects) {
+			this.objects = objects;
+		}
+
 	}
 
 	enum Bingo {
@@ -1081,4 +1102,5 @@ public class RelaxedDataBinderTests {
 		}
 
 	}
+
 }

From 8542f4f48129db5b410b7db7e30f05fa011f05f5 Mon Sep 17 00:00:00 2001
From: Sergey Pauk <sergey.pauk@gmail.com>
Date: Sat, 30 Jan 2016 04:17:25 +0200
Subject: [PATCH 2/2] Make UserInfoTokenServices.getPrincipal protected

Update UserInfoTokenServices.getPrincipal() so that it can be overridden
by subclasses to allow a custom authenticated principal to be returned
from the authorized request parameters.

Fixes gh-5053
---
 .../security/oauth2/resource/UserInfoTokenServices.java   | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/UserInfoTokenServices.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/UserInfoTokenServices.java
index f36fd3e9b84..f09c60234ad 100644
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/UserInfoTokenServices.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/UserInfoTokenServices.java
@@ -99,7 +99,13 @@ public class UserInfoTokenServices implements ResourceServerTokenServices {
 		return new OAuth2Authentication(request, token);
 	}
 
-	private Object getPrincipal(Map<String, Object> map) {
+	/**
+	 * Return the principal that should be used for the token. The default implementation
+	 * looks for well know {@code user*} keys in the map.
+	 * @param map the source map
+	 * @return the principal or {@literal "unknown"}
+	 */
+	protected Object getPrincipal(Map<String, Object> map) {
 		for (String key : PRINCIPAL_KEYS) {
 			if (map.containsKey(key)) {
 				return map.get(key);