Skip to content

when using UserInfoTokenServices and its resttemplate is configured with AuthorizationCodeAccessTokenProvider and also with ClientCredentialsAccessTokenProvider then there's possibility to add whatever token and you will bypass security.

Notifications You must be signed in to change notification settings

bilak/spring-oauth-userinfo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

to reproduce:

  • start both applications
  • in command line execute curl -H 'Authorization: Bearer whatever' localhost:8080/hello (now you can see hello world)

then remove this line and repeat previous steps (you should not be able to see hello world).

About

when using UserInfoTokenServices and its resttemplate is configured with AuthorizationCodeAccessTokenProvider and also with ClientCredentialsAccessTokenProvider then there's possibility to add whatever token and you will bypass security.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published