Merge SubdomainRedirectResolver into DefaultRedirectResolver

Author: Dave Syer

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java

@@ -31,17 +31,28 @@
 
 /**
  * Default implementation for a redirect resolver.
- *
+ * 
  * @author Ryan Heaton
  * @author Dave Syer
  */
 public class DefaultRedirectResolver implements RedirectResolver {
 
 	private Collection<String> redirectGrantTypes = Arrays.asList("implicit", "authorization_code");
 
+	private boolean matchSubdomains = true;
+
+	/**
+	 * Flag to indicate that requested URIs will match if they are a subdomain of the registered value.
+	 * 
+	 * @param matchSubdomains the flag value to set (deafult true)
+	 */
+	public void setMatchSubdomains(boolean matchSubdomains) {
+		this.matchSubdomains = matchSubdomains;
+	}
+
 	/**
 	 * Grant types that are permitted to have a redirect uri.
-	 *
+	 * 
 	 * @param redirectGrantTypes the redirect grant types to set
 	 */
 	public void setRedirectGrantTypes(Collection<String> redirectGrantTypes) {
@@ -55,7 +66,8 @@ public String resolveRedirect(String requestedRedirect, ClientDetails client) th
 			throw new InvalidGrantException("A client must have at least one authorized grant type.");
 		}
 		if (!containsRedirectGrantType(authorizedGrantTypes)) {
-			throw new InvalidGrantException("A redirect_uri can only be used by implicit or authorization_code grant types.");
+			throw new InvalidGrantException(
+					"A redirect_uri can only be used by implicit or authorization_code grant types.");
 		}
 
 		Set<String> redirectUris = client.getRegisteredRedirectUri();
@@ -91,7 +103,7 @@ private boolean containsRedirectGrantType(Set<String> grantTypes) {
 	 * it is an HTTP URL.
 	 * <p>
 	 * For other (non-URL) cases, such as for some implicit clients, the redirect_uri must be an exact match.
-	 *
+	 * 
 	 * @param requestedRedirect The requested redirect URI.
 	 * @param redirectUri The registered redirect URI.
 	 * @return Whether the requested redirect URI "matches" the specified redirect URI.
@@ -101,18 +113,32 @@ protected boolean redirectMatches(String requestedRedirect, String redirectUri)
 			URL req = new URL(requestedRedirect);
 			URL reg = new URL(redirectUri);
 
-			if (reg.getProtocol().equals(req.getProtocol()) && reg.getHost().equals(req.getHost())) {
-				return requestedRedirect.startsWith(redirectUri);
+			if (reg.getProtocol().equals(req.getProtocol()) && hostMatches(reg.getHost(), req.getHost())) {
+				return req.getPath().startsWith(reg.getPath());
 			}
 		}
 		catch (MalformedURLException e) {
 		}
 		return requestedRedirect.equals(redirectUri);
 	}
 
+	/**
+	 * Check if host matches the registered value.
+	 * 
+	 * @param registered the registered host
+	 * @param requested the requested host
+	 * @return true if they match
+	 */
+	protected boolean hostMatches(String registered, String requested) {
+		if (matchSubdomains) {
+			return requested.endsWith(registered);
+		}
+		return registered.equals(requested);
+	}
+
 	/**
 	 * Attempt to match one of the registered URIs to the that of the requested one.
-	 *
+	 * 
 	 * @param redirectUris the set of the registered URIs to try and find a match. This cannot be null or empty.
 	 * @param requestedRedirect the URI used as part of the request
 	 * @return the matching URI

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/SubdomainRedirectResolver.java

@@ -8,11 +8,13 @@
 import java.util.Set;
 
 import org.junit.Test;
+import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
 import org.springframework.security.oauth2.provider.BaseClientDetails;
+import org.springframework.security.oauth2.provider.endpoint.DefaultRedirectResolver;
 
 public class TestSubdomainRedirectResolver
 {
-	private final TestSubdomainRedirectResolver resolver = new TestSubdomainRedirectResolver();
+	private final DefaultRedirectResolver resolver = new DefaultRedirectResolver();
 	private final BaseClientDetails client = new BaseClientDetails();
 
 	{
@@ -23,18 +25,19 @@ public class TestSubdomainRedirectResolver
 	@Test
 	public void testRedirectWatchdox() throws Exception 
 	{
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("watchdox.com"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http://watchdox.com"));
 		client.setRegisteredRedirectUri(redirectUris);
 		String requestedRedirect = "http://anywhere.watchdox.com/something";
 		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client));
 	}
 
-	@Test
+	@Test(expected=RedirectMismatchException.class)
 	public void testRedirectBadWatchdox() throws Exception 
 	{
-		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http.*(watchdox.com).*"));
+		Set<String> redirectUris = new HashSet<String>(Arrays.asList("http//watchdox.com"));
 		client.setRegisteredRedirectUri(redirectUris);
 		String requestedRedirect = "http://anywhere.google.com/something";
 		assertEquals(requestedRedirect, resolver.resolveRedirect(requestedRedirect, client));
 	}
+
 }