From f769ff98c7b0c7aba42dd67538f6912c8e0d2ef7 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Tue, 28 May 2019 10:36:40 -0600 Subject: [PATCH] Simplify Default Configuration Switching off matchSubdomains by default for a simpler initial configuration. --- .../oauth2/provider/endpoint/DefaultRedirectResolver.java | 2 +- .../provider/code/SubdomainRedirectResolverTests.java | 8 +++++++- .../provider/endpoint/DefaultRedirectResolverTests.java | 8 ++++++++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java index 714bc191c..6719218f6 100644 --- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java +++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java @@ -43,7 +43,7 @@ public class DefaultRedirectResolver implements RedirectResolver { private Collection redirectGrantTypes = Arrays.asList("implicit", "authorization_code"); - private boolean matchSubdomains = true; + private boolean matchSubdomains = false; private boolean matchPorts = true; diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/SubdomainRedirectResolverTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/SubdomainRedirectResolverTests.java index f10492cd4..901c03dc4 100644 --- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/SubdomainRedirectResolverTests.java +++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/SubdomainRedirectResolverTests.java @@ -7,6 +7,7 @@ import java.util.HashSet; import java.util.Set; +import org.junit.Before; import org.junit.Test; import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException; import org.springframework.security.oauth2.provider.client.BaseClientDetails; @@ -14,17 +15,22 @@ public class SubdomainRedirectResolverTests { - private final DefaultRedirectResolver resolver = new DefaultRedirectResolver(); + private DefaultRedirectResolver resolver; private final BaseClientDetails client = new BaseClientDetails(); { client.setAuthorizedGrantTypes(Collections.singleton("authorization_code")); } + @Before + public void setup() { + resolver = new DefaultRedirectResolver(); + } @Test public void testRedirectMatch() throws Exception { + resolver.setMatchSubdomains(true); Set redirectUris = new HashSet(Arrays.asList("https://watchdox.com")); client.setRegisteredRedirectUri(redirectUris); String requestedRedirect = "https://anywhere.watchdox.com"; diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java index e981a83cd..fc767f5fb 100644 --- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java +++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java @@ -136,12 +136,20 @@ public void testRedirectNotMatchingSubdomain() throws Exception { // gh-747 @Test public void testRedirectMatchingSubdomain() throws Exception { + resolver.setMatchSubdomains(true); Set redirectUris = new HashSet(Arrays.asList("https://anywhere.com/foo")); String requestedRedirect = "https://2.anywhere.com/foo"; client.setRegisteredRedirectUri(redirectUris); assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client)); } + @Test(expected = RedirectMismatchException.class) + public void testRedirectMatchSubdomainsDefaultsFalse() { + Set redirectUris = new HashSet(Arrays.asList("https://anywhere.com")); + client.setRegisteredRedirectUri(redirectUris); + resolver.resolveRedirect("https://2.anywhere.com", client); + } + // gh-746 @Test(expected = RedirectMismatchException.class) public void testRedirectNotMatchingPort() throws Exception {