From 94bbd50f31c400fbd6dec0100cf551c5d9e7ea4e Mon Sep 17 00:00:00 2001 From: Marcus Hert da Coregio Date: Sat, 18 Oct 2025 13:13:50 -0300 Subject: [PATCH 1/2] Fix GenerateOneTimeTokenRequestResolver ignored if username param not present Signed-off-by: Marcus Hert da Coregio --- .../ott/GenerateOneTimeTokenFilter.java | 6 ------ .../ott/GenerateOneTimeTokenFilterTests.java | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java b/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java index b53c31dd187..0eefd98a898 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java @@ -30,7 +30,6 @@ import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; -import org.springframework.util.StringUtils; import org.springframework.web.filter.OncePerRequestFilter; /** @@ -68,11 +67,6 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse filterChain.doFilter(request, response); return; } - String username = request.getParameter("username"); - if (!StringUtils.hasText(username)) { - filterChain.doFilter(request, response); - return; - } GenerateOneTimeTokenRequest generateRequest = this.requestResolver.resolve(request); OneTimeToken ott = this.tokenService.generate(generateRequest); if (generateRequest == null) { diff --git a/web/src/test/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilterTests.java index 4b639937c5f..6d990458094 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilterTests.java @@ -113,4 +113,22 @@ public void setWhenRequestMatcherNullThenIllegalArgumentException() { // @formatter:on } + @Test + void filterWhenUsernameFormParamIsEmptyButRequestResolverCanResolveThenSuccess() + throws ServletException, IOException { + GenerateOneTimeTokenRequestResolver requestResolver = mock(); + given(this.oneTimeTokenService.generate(ArgumentMatchers.any(GenerateOneTimeTokenRequest.class))) + .willReturn((new DefaultOneTimeToken(TOKEN, USERNAME, Instant.now()))); + given(requestResolver.resolve(this.request)).willReturn(new GenerateOneTimeTokenRequest(USERNAME)); + + GenerateOneTimeTokenFilter filter = new GenerateOneTimeTokenFilter(this.oneTimeTokenService, + this.successHandler); + filter.setRequestResolver(requestResolver); + + filter.doFilter(this.request, this.response, this.filterChain); + + verify(this.oneTimeTokenService).generate(ArgumentMatchers.any(GenerateOneTimeTokenRequest.class)); + assertThat(this.response.getRedirectedUrl()).isEqualTo("/login/ott"); + } + } From db47f8d85d52a549197fbc32a551766dbaf38c3e Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Mon, 20 Oct 2025 11:58:57 -0600 Subject: [PATCH 2/2] Don't Attempt to Generate Token Without Valid Token Request Closes gh-18088 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com> --- .../web/authentication/ott/GenerateOneTimeTokenFilter.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java b/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java index 0eefd98a898..6f4788f1fe4 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java @@ -68,11 +68,11 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse return; } GenerateOneTimeTokenRequest generateRequest = this.requestResolver.resolve(request); - OneTimeToken ott = this.tokenService.generate(generateRequest); if (generateRequest == null) { filterChain.doFilter(request, response); return; } + OneTimeToken ott = this.tokenService.generate(generateRequest); this.tokenGenerationSuccessHandler.handle(request, response, ott); }