Merge branch '5.7.x' into 5.8.x

jzheaux · jzheaux · commit 29c00905ce9b · 2022-11-30T14:49:26.000-07:00
Closes gh-12324
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java
@@ -201,8 +201,8 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 					if (authorizationRequest == null) {
 						throw authzEx;
 					}
-					this.sendRedirectForAuthorization(request, response, authorizationRequest);
 					this.requestCache.saveRequest(request, response);
+					this.sendRedirectForAuthorization(request, response, authorizationRequest);
 				}
 				catch (Exception failed) {
 					this.unsuccessfulRedirectForAuthorization(request, response, failed);
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java
@@ -52,6 +52,7 @@
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
+import static org.mockito.BDDMockito.willAnswer;
 import static org.mockito.BDDMockito.willThrow;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.times;
@@ -369,4 +370,22 @@ public void doFilterWhenCustomAuthorizationRedirectStrategySetThenCustomAuthoriz
 						+ "redirect_uri=http://localhost/login/oauth2/code/registration-id");
 	}
 
+	// gh-11602
+
+	@Test
+	public void doFilterWhenNotAuthorizationRequestAndClientAuthorizationRequiredExceptionThrownThenSaveRequestBeforeCommitted()
+			throws Exception {
+		String requestUri = "/path";
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
+		request.setServletPath(requestUri);
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		FilterChain filterChain = mock(FilterChain.class);
+		willAnswer((invocation) -> assertThat((invocation.<HttpServletResponse>getArgument(1)).isCommitted()).isFalse())
+				.given(this.requestCache).saveRequest(any(HttpServletRequest.class), any(HttpServletResponse.class));
+		willThrow(new ClientAuthorizationRequiredException(this.registration1.getRegistrationId())).given(filterChain)
+				.doFilter(any(ServletRequest.class), any(ServletResponse.class));
+		this.filter.doFilter(request, response, filterChain);
+		assertThat(response.isCommitted()).isTrue();
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -201,8 +201,8 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse`
`201`	`201`	`if (authorizationRequest == null) {`
`202`	`202`	`throw authzEx;`
`203`	`203`	`}`
`204`		`- this.sendRedirectForAuthorization(request, response, authorizationRequest);`
`205`	`204`	`this.requestCache.saveRequest(request, response);`
	`205`	`+ this.sendRedirectForAuthorization(request, response, authorizationRequest);`
`206`	`206`	`}`
`207`	`207`	`catch (Exception failed) {`
`208`	`208`	`this.unsuccessfulRedirectForAuthorization(request, response, failed);`