From a3e38fec47d251b33273c3b1df7d086f3a0ff81a Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Sun, 29 Oct 2017 19:24:56 -0500 Subject: [PATCH] Remove AuthorizationRequestUriBuilder Make this API private since we don't have concrete use cases for exposing it yet. Fixes gh-4742 --- .../annotation/web/builders/HttpSecurity.java | 6 +-- .../client/ImplicitGrantConfigurer.java | 11 ----- .../oauth2/client/OAuth2LoginConfigurer.java | 15 +----- .../AuthorizationRequestUriBuilder.java | 46 ------------------- ...th2AuthorizationRequestRedirectFilter.java | 13 ++---- .../OAuth2AuthorizationRequestUriBuilder.java | 9 ++-- ...thorizationRequestRedirectFilterTests.java | 16 +------ ...h2AuthorizationRequestUriBuilderTests.java | 3 +- 8 files changed, 13 insertions(+), 106 deletions(-) delete mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AuthorizationRequestUriBuilder.java rename oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/{endpoint => web}/OAuth2AuthorizationRequestUriBuilder.java (84%) rename oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/{endpoint => web}/OAuth2AuthorizationRequestUriBuilderTests.java (92%) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java index 67b4771ded..df8ba29059 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java @@ -63,7 +63,6 @@ import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer; import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient; -import org.springframework.security.oauth2.client.endpoint.AuthorizationRequestUriBuilder; import org.springframework.security.web.DefaultSecurityFilterChain; import org.springframework.security.web.PortMapper; import org.springframework.security.web.PortMapperImpl; @@ -947,8 +946,8 @@ public final class HttpSecurity extends * At this point in the "authentication flow", the configured * {@link OAuth2AccessTokenResponseClient} * will getTokenResponse the Authorization Code for an Access Token and then use it to access the protected resource - * at the UserInfo Endpoint (via {@link org.springframework.security.oauth2.client.user.OAuth2UserService}) - * in order to retrieve the details of the Resource Owner (end-user) and establish the "authenticated" session. + * at the UserInfo Endpoint in order to retrieve the details of the Resource Owner (end-user) and establish the + * "authenticated" session. * *

Example Configurations

* @@ -1040,7 +1039,6 @@ public final class HttpSecurity extends * @see Section 4.1.2 Authorization Response * @see org.springframework.security.oauth2.client.registration.ClientRegistration * @see org.springframework.security.oauth2.client.registration.ClientRegistrationRepository - * @see AuthorizationRequestUriBuilder * @see OAuth2AccessTokenResponseClient * @see org.springframework.security.oauth2.client.user.OAuth2UserService * diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/ImplicitGrantConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/ImplicitGrantConfigurer.java index 0a74fb1fce..70cea07f8a 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/ImplicitGrantConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/ImplicitGrantConfigurer.java @@ -20,7 +20,6 @@ import org.springframework.security.config.annotation.web.HttpSecurityBuilder; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter; -import org.springframework.security.oauth2.client.endpoint.AuthorizationRequestUriBuilder; import org.springframework.util.Assert; /** @@ -33,7 +32,6 @@ public final class ImplicitGrantConfigurer> ext AbstractHttpConfigurer, B> { private String authorizationRequestBaseUri; - private AuthorizationRequestUriBuilder authorizationRequestUriBuilder; public ImplicitGrantConfigurer authorizationRequestBaseUri(String authorizationRequestBaseUri) { Assert.hasText(authorizationRequestBaseUri, "authorizationRequestBaseUri cannot be empty"); @@ -41,12 +39,6 @@ public final class ImplicitGrantConfigurer> ext return this; } - public ImplicitGrantConfigurer authorizationRequestUriBuilder(AuthorizationRequestUriBuilder authorizationRequestUriBuilder) { - Assert.notNull(authorizationRequestUriBuilder, "authorizationRequestUriBuilder cannot be null"); - this.authorizationRequestUriBuilder = authorizationRequestUriBuilder; - return this; - } - public ImplicitGrantConfigurer clientRegistrationRepository(ClientRegistrationRepository clientRegistrationRepository) { Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null"); this.getBuilder().setSharedObject(ClientRegistrationRepository.class, clientRegistrationRepository); @@ -57,9 +49,6 @@ public final class ImplicitGrantConfigurer> ext public void configure(B http) throws Exception { OAuth2AuthorizationRequestRedirectFilter authorizationRequestFilter = new OAuth2AuthorizationRequestRedirectFilter( this.getAuthorizationRequestBaseUri(), this.getClientRegistrationRepository()); - if (this.authorizationRequestUriBuilder != null) { - authorizationRequestFilter.setAuthorizationRequestUriBuilder(this.authorizationRequestUriBuilder); - } http.addFilter(this.postProcess(authorizationRequestFilter)); } diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java index 0456186fcf..5b4172b778 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java @@ -22,9 +22,8 @@ import org.springframework.security.config.annotation.web.configurers.AbstractAu import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper; import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService; import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider; -import org.springframework.security.oauth2.client.endpoint.AuthorizationRequestUriBuilder; -import org.springframework.security.oauth2.client.endpoint.NimbusAuthorizationCodeTokenResponseClient; import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient; +import org.springframework.security.oauth2.client.endpoint.NimbusAuthorizationCodeTokenResponseClient; import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest; import org.springframework.security.oauth2.client.jwt.JwtDecoderRegistry; import org.springframework.security.oauth2.client.jwt.NimbusJwtDecoderRegistry; @@ -96,7 +95,6 @@ public final class OAuth2LoginConfigurer> exten public class AuthorizationEndpointConfig { private String authorizationRequestBaseUri; - private AuthorizationRequestUriBuilder authorizationRequestUriBuilder; private AuthorizationRequestRepository authorizationRequestRepository; private AuthorizationEndpointConfig() { @@ -108,12 +106,6 @@ public final class OAuth2LoginConfigurer> exten return this; } - public AuthorizationEndpointConfig authorizationRequestUriBuilder(AuthorizationRequestUriBuilder authorizationRequestUriBuilder) { - Assert.notNull(authorizationRequestUriBuilder, "authorizationRequestUriBuilder cannot be null"); - this.authorizationRequestUriBuilder = authorizationRequestUriBuilder; - return this; - } - public AuthorizationEndpointConfig authorizationRequestRepository(AuthorizationRequestRepository authorizationRequestRepository) { Assert.notNull(authorizationRequestRepository, "authorizationRequestRepository cannot be null"); this.authorizationRequestRepository = authorizationRequestRepository; @@ -277,10 +269,7 @@ public final class OAuth2LoginConfigurer> exten OAuth2AuthorizationRequestRedirectFilter authorizationRequestFilter = new OAuth2AuthorizationRequestRedirectFilter( authorizationRequestBaseUri, this.getClientRegistrationRepository()); - if (this.authorizationEndpointConfig.authorizationRequestUriBuilder != null) { - authorizationRequestFilter.setAuthorizationRequestUriBuilder( - this.authorizationEndpointConfig.authorizationRequestUriBuilder); - } + if (this.authorizationEndpointConfig.authorizationRequestRepository != null) { authorizationRequestFilter.setAuthorizationRequestRepository( this.authorizationEndpointConfig.authorizationRequestRepository); diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AuthorizationRequestUriBuilder.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AuthorizationRequestUriBuilder.java deleted file mode 100644 index ec35b55917..0000000000 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AuthorizationRequestUriBuilder.java +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright 2002-2017 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.springframework.security.oauth2.client.endpoint; - - -import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; - -import java.net.URI; - -/** - * Implementations of this interface are responsible for building an OAuth 2.0 Authorization Request, - * which is used as the redirect URI to the Authorization Endpoint. - * - *

- * The returned redirect URI will include the following parameters as query components to the - * Authorization Endpoint (using the "application/x-www-form-urlencoded" format): - *

    - *
  • client identifier (required)
    • - *
  • response type (required)
    • - *
  • requested scope(s) (optional)
    • - *
  • state (recommended)
    • - *
  • redirection URI (optional) - the authorization server will send the user-agent back to once access is granted (or denied) by the end-user (resource owner)
    • - *
- * - * @author Joe Grandja - * @since 5.0 - * @see OAuth2AuthorizationRequest - * @see Section 4.1.1 Authorization Request - */ -public interface AuthorizationRequestUriBuilder { - - URI build(OAuth2AuthorizationRequest authorizationRequest); -} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java index 92676ccbc9..10ce43e7c0 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java @@ -18,12 +18,10 @@ package org.springframework.security.oauth2.client.web; import org.springframework.http.HttpStatus; import org.springframework.security.crypto.keygen.Base64StringKeyGenerator; import org.springframework.security.crypto.keygen.StringKeyGenerator; -import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationRequestUriBuilder; import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; -import org.springframework.security.oauth2.client.endpoint.AuthorizationRequestUriBuilder; import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; import org.springframework.security.web.DefaultRedirectStrategy; import org.springframework.security.web.RedirectStrategy; @@ -47,17 +45,17 @@ import java.util.Map; * by redirecting the end-user's user-agent to the authorization server's Authorization Endpoint. * *

- * It uses an {@link AuthorizationRequestUriBuilder} to build the OAuth 2.0 Authorization Request, + * It builds the OAuth 2.0 Authorization Request, * which is used as the redirect URI to the Authorization Endpoint. * The redirect URI will include the client identifier, requested scope(s), state, * response type, and a redirection URI which the authorization server will send the user-agent back to * once access is granted (or denied) by the end-user (resource owner). * * @author Joe Grandja + * @author Rob Winch * @since 5.0 * @see OAuth2AuthorizationRequest * @see AuthorizationRequestRepository - * @see AuthorizationRequestUriBuilder * @see ClientRegistration * @see ClientRegistrationRepository * @see Section 4.1 Authorization Code Grant @@ -70,7 +68,7 @@ public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilt private static final String REGISTRATION_ID_URI_VARIABLE_NAME = "registrationId"; private final AntPathRequestMatcher authorizationRequestMatcher; private final ClientRegistrationRepository clientRegistrationRepository; - private AuthorizationRequestUriBuilder authorizationRequestUriBuilder = new OAuth2AuthorizationRequestUriBuilder(); + private final OAuth2AuthorizationRequestUriBuilder authorizationRequestUriBuilder = new OAuth2AuthorizationRequestUriBuilder(); private final RedirectStrategy authorizationRedirectStrategy = new DefaultRedirectStrategy(); private final StringKeyGenerator stateGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder()); private AuthorizationRequestRepository authorizationRequestRepository = @@ -90,11 +88,6 @@ public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilt this.clientRegistrationRepository = clientRegistrationRepository; } - public final void setAuthorizationRequestUriBuilder(AuthorizationRequestUriBuilder authorizationRequestUriBuilder) { - Assert.notNull(authorizationRequestUriBuilder, "authorizationRequestUriBuilder cannot be null"); - this.authorizationRequestUriBuilder = authorizationRequestUriBuilder; - } - public final void setAuthorizationRequestRepository(AuthorizationRequestRepository authorizationRequestRepository) { Assert.notNull(authorizationRequestRepository, "authorizationRequestRepository cannot be null"); this.authorizationRequestRepository = authorizationRequestRepository; diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationRequestUriBuilder.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestUriBuilder.java similarity index 84% rename from oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationRequestUriBuilder.java rename to oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestUriBuilder.java index 1bf719e17f..b5840976ff 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationRequestUriBuilder.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestUriBuilder.java @@ -13,7 +13,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.springframework.security.oauth2.client.endpoint; +package org.springframework.security.oauth2.client.web; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; @@ -24,19 +24,16 @@ import java.net.URI; import java.util.Set; /** - * The default implementation of an {@link AuthorizationRequestUriBuilder}, - * which internally uses a {@link UriComponentsBuilder} to construct the OAuth 2.0 Authorization Request. + * Uses a {@link UriComponentsBuilder} to construct the OAuth 2.0 Authorization Request. * * @author Joe Grandja * @since 5.0 - * @see AuthorizationRequestUriBuilder * @see OAuth2AuthorizationRequest * @see Section 4.1.1 Authorization Code Grant Request * @see Section 4.2.1 Implicit Grant Request */ -public class OAuth2AuthorizationRequestUriBuilder implements AuthorizationRequestUriBuilder { +class OAuth2AuthorizationRequestUriBuilder { - @Override public URI build(OAuth2AuthorizationRequest authorizationRequest) { Set scopes = authorizationRequest.getScopes(); UriComponentsBuilder uriBuilder = UriComponentsBuilder diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java index e6cc432b45..13bb140bac 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java @@ -24,7 +24,6 @@ import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; -import org.springframework.security.oauth2.client.endpoint.AuthorizationRequestUriBuilder; import javax.servlet.FilterChain; import javax.servlet.http.HttpServletRequest; @@ -78,7 +77,7 @@ public class OAuth2AuthorizationRequestRedirectFilterTests { Mockito.verifyZeroInteractions(filterChain); // Request should not proceed up the chain - Assertions.assertThat(response.getRedirectedUrl()).isEqualTo(authorizationUri); + Assertions.assertThat(response.getRedirectedUrl()).matches("https://accounts.google.com/o/oauth2/auth\\?response_type=code&client_id=google-client-id&scope=openid%20email%20profile&state=.{15,}&redirect_uri=https://localhost:8080/login/oauth2/code/google"); } @Test @@ -117,21 +116,8 @@ public class OAuth2AuthorizationRequestRedirectFilterTests { private OAuth2AuthorizationRequestRedirectFilter setupFilter(String authorizationUri, ClientRegistration... clientRegistrations) throws Exception { - - AuthorizationRequestUriBuilder authorizationUriBuilder = Mockito.mock(AuthorizationRequestUriBuilder.class); - URI authorizationURI = new URI(authorizationUri); - Mockito.when(authorizationUriBuilder.build(Matchers.any(OAuth2AuthorizationRequest.class))).thenReturn(authorizationURI); - - return setupFilter(authorizationUriBuilder, clientRegistrations); - } - - private OAuth2AuthorizationRequestRedirectFilter setupFilter(AuthorizationRequestUriBuilder authorizationUriBuilder, - ClientRegistration... clientRegistrations) throws Exception { - ClientRegistrationRepository clientRegistrationRepository = TestUtil.clientRegistrationRepository(clientRegistrations); OAuth2AuthorizationRequestRedirectFilter filter = new OAuth2AuthorizationRequestRedirectFilter(clientRegistrationRepository); - filter.setAuthorizationRequestUriBuilder(authorizationUriBuilder); - return filter; } } diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationRequestUriBuilderTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestUriBuilderTests.java similarity index 92% rename from oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationRequestUriBuilderTests.java rename to oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestUriBuilderTests.java index 16ffae4ca5..98ce79f3ac 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationRequestUriBuilderTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestUriBuilderTests.java @@ -14,9 +14,10 @@ * limitations under the License. */ -package org.springframework.security.oauth2.client.endpoint; +package org.springframework.security.oauth2.client.web; import org.junit.Test; +import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestUriBuilder; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; import java.net.URI;