Fix /oauth/rest_token 接口 client_secret字段没有校验

7 years ago · b905f9bb33
2 changed files with 21 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -163,7 +163,7 @@
            </p>
            <ol>
                <li><p>增加 /oauth/check_token 可使用   #IJO9H</p></li>
-                <li><p>Fix issue   #IJO9R</p></li>
+                <li><p><del>Fix issue   #IJO9R  /oauth/rest_token 接口 client_secret字段没有校验</del></p></li>
            </ol>
            <br/>
       </li>       
--- a/src/main/java/com/monkeyk/sos/web/controller/OAuthRestController.java
+++ b/src/main/java/com/monkeyk/sos/web/controller/OAuthRestController.java
@ -137,6 +137,16 @@ public class OAuthRestController implements InitializingBean, ApplicationContext
        String clientId = getClientId(parameters);
        ClientDetails authenticatedClient = clientDetailsService.loadClientByClientId(clientId);

+        //validate client_secret
+        String clientSecret = getClientSecret(parameters);
+        if (clientSecret == null || clientSecret.equals("")) {
+            throw new InvalidClientException("Bad client credentials");
+        } else {
+            if (!clientSecret.equals(authenticatedClient.getClientSecret())) {
+                throw new InvalidClientException("Bad client credentials");
+            }
+        }
+
        TokenRequest tokenRequest = oAuth2RequestFactory.createTokenRequest(parameters, authenticatedClient);

        if (clientId != null && !"".equals(clientId)) {
@ -149,9 +159,7 @@ public class OAuthRestController implements InitializingBean, ApplicationContext
            }
        }

-        if (authenticatedClient != null) {
-            oAuth2RequestValidator.validateScope(tokenRequest, authenticatedClient);
-        }
+        oAuth2RequestValidator.validateScope(tokenRequest, authenticatedClient);

        final String grantType = tokenRequest.getGrantType();
        if (!StringUtils.hasText(grantType)) {
@ -227,7 +235,7 @@ public class OAuthRestController implements InitializingBean, ApplicationContext
     *
     * @param e Exception
     * @return ResponseEntity
-     * @throws Exception
+     * @throws Exception Exception
     * @see org.springframework.security.oauth2.provider.endpoint.CheckTokenEndpoint#handleException(Exception)
     */
    @ExceptionHandler(InvalidTokenException.class)
@ -238,18 +246,23 @@ public class OAuthRestController implements InitializingBean, ApplicationContext


    private boolean isRefreshTokenRequest(Map<String, String> parameters) {
-        return "refresh_token".equals(parameters.get("grant_type")) && parameters.get("refresh_token") != null;
+        return "refresh_token".equals(parameters.get(OAuth2Utils.GRANT_TYPE)) && parameters.get("refresh_token") != null;
    }

    private boolean isAuthCodeRequest(Map<String, String> parameters) {
-        return "authorization_code".equals(parameters.get("grant_type")) && parameters.get("code") != null;
+        return "authorization_code".equals(parameters.get(OAuth2Utils.GRANT_TYPE)) && parameters.get("code") != null;
    }


    protected String getClientId(Map<String, String> parameters) {
-        return parameters.get("client_id");
+        return parameters.get(OAuth2Utils.CLIENT_ID);
+    }
+
+    protected String getClientSecret(Map<String, String> parameters) {
+        return parameters.get("client_secret");
    }

+
    private AuthenticationManager getAuthenticationManager() {
        return this.authenticationManager;
    }