Merge pull request 'Fix #23799: make sure OAuth filters don't eat POST body' (#17) from feature/23799 into develop

+1

Author: fmichielssen

src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java

@@ -58,6 +58,7 @@
 import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
 
 import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
+import eu.openanalytics.containerproxy.security.FixedDefaultOAuth2AuthorizationRequestResolver;
 import eu.openanalytics.containerproxy.util.SessionHelper;
 import net.minidev.json.JSONArray;
 import net.minidev.json.parser.JSONParser;
@@ -86,7 +87,7 @@ public String getName() {
 	public boolean hasAuthorization() {
 		return true;
 	}
-
+	
 	@Override
 	public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestConfigurer) throws Exception {
 		ClientRegistrationRepository clientRegistrationRepo = createClientRepo();
@@ -99,9 +100,13 @@ public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestCon
 				.loginPage("/login")
 				.clientRegistrationRepository(clientRegistrationRepo)
 				.authorizedClientService(authorizedClientService)
+				.authorizationEndpoint()
+					.authorizationRequestResolver(new FixedDefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepo, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI))
+				.and()
 				.userInfoEndpoint()
 					.userAuthoritiesMapper(createAuthoritiesMapper())
 					.oidcUserService(createOidcUserService());
+
 	}
 
 	@Override

src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java

@@ -0,0 +1,61 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2020 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.security;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+
+/**
+ * Disables the handling of OAuth on the `/app_direct` URL.
+ * See issue #23799.
+ * 
+ * Without this, the Filter will eat the body of the (POST) request. As a result Undertow will not be able
+ * to proxy the request to the container.
+ */
+public class FixedDefaultOAuth2AuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver {
+	
+	private DefaultOAuth2AuthorizationRequestResolver delegate;
+	
+	public FixedDefaultOAuth2AuthorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository, String authorizationRequestBaseUri) {
+		delegate = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, authorizationRequestBaseUri);
+	}
+
+	@Override
+	public OAuth2AuthorizationRequest resolve(HttpServletRequest request) {
+		if (request.getServletPath().startsWith("/app_direct")) {
+			return null;
+		}
+		return delegate.resolve(request);
+	}
+
+	@Override
+	public OAuth2AuthorizationRequest resolve(HttpServletRequest request, String clientRegistrationId) {
+		if (request.getServletPath().startsWith("/app_direct")) {
+			return null;
+		}
+		return delegate.resolve(request, clientRegistrationId);
+	}
+
+}