Remove SpelView in WhitelabelApprovalEndpoint

Fixes spring-atticgh-1340

Author: jgrandja

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/SpelView.java

@@ -1,12 +1,17 @@
 package org.springframework.security.oauth2.provider.endpoint;
 
-import java.util.Map;
-
-import javax.servlet.http.HttpServletRequest;
-
+import org.springframework.security.oauth2.provider.AuthorizationRequest;
+import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.SessionAttributes;
 import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.View;
+import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
+import org.springframework.web.util.HtmlUtils;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Map;
 
 /**
  * Controller for displaying the approval page for the authorization server.
@@ -19,56 +24,91 @@ public class WhitelabelApprovalEndpoint {
 
 	@RequestMapping("/oauth/confirm_access")
 	public ModelAndView getAccessConfirmation(Map<String, Object> model, HttpServletRequest request) throws Exception {
-		String template = createTemplate(model, request);
+		final String approvalContent = createTemplate(model, request);
 		if (request.getAttribute("_csrf") != null) {
 			model.put("_csrf", request.getAttribute("_csrf"));
 		}
-		return new ModelAndView(new SpelView(template), model);
+		View approvalView = new View() {
+			@Override
+			public String getContentType() {
+				return "text/html";
+			}
+
+			@Override
+			public void render(Map<String, ?> model, HttpServletRequest request, HttpServletResponse response) throws Exception {
+				response.setContentType(getContentType());
+				response.getWriter().append(approvalContent);
+			}
+		};
+		return new ModelAndView(approvalView, model);
 	}
 
 	protected String createTemplate(Map<String, Object> model, HttpServletRequest request) {
-		String template = TEMPLATE;
-		if (model.containsKey("scopes") || request.getAttribute("scopes") != null) {
-			template = template.replace("%scopes%", createScopes(model, request)).replace("%denial%", "");
+		AuthorizationRequest authorizationRequest = (AuthorizationRequest) model.get("authorizationRequest");
+		String clientId = authorizationRequest.getClientId();
+
+		StringBuilder builder = new StringBuilder();
+		builder.append("<html><body><h1>OAuth Approval</h1>");
+		builder.append("<p>Do you authorize \"").append(HtmlUtils.htmlEscape(clientId));
+		builder.append("\" to access your protected resources?</p>");
+		builder.append("<form id=\"confirmationForm\" name=\"confirmationForm\" action=\"");
+
+		String requestPath = ServletUriComponentsBuilder.fromContextPath(request).build().getPath();
+		if (requestPath == null) {
+			requestPath = "";
 		}
-		else {
-			template = template.replace("%scopes%", "").replace("%denial%", DENIAL);
+
+		builder.append(requestPath).append("/oauth/authorize\" method=\"post\">");
+		builder.append("<input name=\"user_oauth_approval\" value=\"true\" type=\"hidden\"/>");
+
+		String csrfTemplate = null;
+		CsrfToken csrfToken = (CsrfToken) (model.containsKey("_csrf") ? model.get("_csrf") : request.getAttribute("_csrf"));
+		if (csrfToken != null) {
+			csrfTemplate = "<input type=\"hidden\" name=\"" + HtmlUtils.htmlEscape(csrfToken.getParameterName()) +
+					"\" value=\"" + HtmlUtils.htmlEscape(csrfToken.getToken()) + "\" />";
 		}
-		if (model.containsKey("_csrf") || request.getAttribute("_csrf") != null) {
-			template = template.replace("%csrf%", CSRF);
+		if (csrfTemplate != null) {
+			builder.append(csrfTemplate);
 		}
-		else {
-			template = template.replace("%csrf%", "");
+
+		String authorizeInputTemplate = "<label><input name=\"authorize\" value=\"Authorize\" type=\"submit\"/></label></form>";
+
+		if (model.containsKey("scopes") || request.getAttribute("scopes") != null) {
+			builder.append(createScopes(model, request));
+			builder.append(authorizeInputTemplate);
+		} else {
+			builder.append(authorizeInputTemplate);
+			builder.append("<form id=\"denialForm\" name=\"denialForm\" action=\"");
+			builder.append(requestPath).append("/oauth/authorize\" method=\"post\">");
+			builder.append("<input name=\"user_oauth_approval\" value=\"false\" type=\"hidden\"/>");
+			if (csrfTemplate != null) {
+				builder.append(csrfTemplate);
+			}
+			builder.append("<label><input name=\"deny\" value=\"Deny\" type=\"submit\"/></label></form>");
 		}
-		return template;
+
+		builder.append("</body></html>");
+
+		return builder.toString();
 	}
 
 	private CharSequence createScopes(Map<String, Object> model, HttpServletRequest request) {
 		StringBuilder builder = new StringBuilder("<ul>");
 		@SuppressWarnings("unchecked")
-		Map<String, String> scopes = (Map<String, String>) (model.containsKey("scopes") ? model.get("scopes") : request
-				.getAttribute("scopes"));
+		Map<String, String> scopes = (Map<String, String>) (model.containsKey("scopes") ?
+				model.get("scopes") : request.getAttribute("scopes"));
 		for (String scope : scopes.keySet()) {
 			String approved = "true".equals(scopes.get(scope)) ? " checked" : "";
 			String denied = !"true".equals(scopes.get(scope)) ? " checked" : "";
-			String value = SCOPE.replace("%scope%", scope).replace("%key%", scope).replace("%approved%", approved)
-					.replace("%denied%", denied);
-			builder.append(value);
+			scope = HtmlUtils.htmlEscape(scope);
+
+			builder.append("<li><div class=\"form-group\">");
+			builder.append(scope).append(": <input type=\"radio\" name=\"");
+			builder.append(scope).append("\" value=\"true\"").append(approved).append(">Approve</input> ");
+			builder.append("<input type=\"radio\" name=\"").append(scope).append("\" value=\"false\"");
+			builder.append(denied).append(">Deny</input></div></li>");
 		}
 		builder.append("</ul>");
 		return builder.toString();
 	}
-
-	private static String CSRF = "<input type='hidden' name='${_csrf.parameterName}' value='${_csrf.token}' />";
-
-	private static String DENIAL = "<form id='denialForm' name='denialForm' action='${path}/oauth/authorize' method='post'><input name='user_oauth_approval' value='false' type='hidden'/>%csrf%<label><input name='deny' value='Deny' type='submit'/></label></form>";
-
-	private static String TEMPLATE = "<html><body><h1>OAuth Approval</h1>"
-			+ "<p>Do you authorize '${authorizationRequest.clientId}' to access your protected resources?</p>"
-			+ "<form id='confirmationForm' name='confirmationForm' action='${path}/oauth/authorize' method='post'><input name='user_oauth_approval' value='true' type='hidden'/>%csrf%%scopes%<label><input name='authorize' value='Authorize' type='submit'/></label></form>"
-			+ "%denial%</body></html>";
-
-	private static String SCOPE = "<li><div class='form-group'>%scope%: <input type='radio' name='%key%'"
-			+ " value='true'%approved%>Approve</input> <input type='radio' name='%key%' value='false'%denied%>Deny</input></div></li>";
-
-}
+}

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelApprovalEndpoint.java

@@ -1,15 +1,16 @@
 package org.springframework.security.oauth2.provider.endpoint;
 
-import java.util.HashMap;
-import java.util.Map;
-
-import javax.servlet.http.HttpServletRequest;
-
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.View;
 import org.springframework.web.util.HtmlUtils;
 
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.HashMap;
+import java.util.Map;
+
 /**
  * Controller for displaying the error page for the authorization server.
  *
@@ -18,7 +19,7 @@
 @FrameworkEndpoint
 public class WhitelabelErrorEndpoint {
 
-	private static final String ERROR = "<html><body><h1>OAuth Error</h1><p>${errorSummary}</p></body></html>";
+	private static final String ERROR = "<html><body><h1>OAuth Error</h1><p>%errorSummary%</p></body></html>";
 
 	@RequestMapping("/oauth/error")
 	public ModelAndView handleError(HttpServletRequest request) {
@@ -34,7 +35,19 @@ public ModelAndView handleError(HttpServletRequest request) {
 		else {
 			errorSummary = "Unknown error";
 		}
-		model.put("errorSummary", errorSummary);
-		return new ModelAndView(new SpelView(ERROR), model);
+		final String errorContent = ERROR.replace("%errorSummary%", errorSummary);
+		View errorView = new View() {
+			@Override
+			public String getContentType() {
+				return "text/html";
+			}
+
+			@Override
+			public void render(Map<String, ?> model, HttpServletRequest request, HttpServletResponse response) throws Exception {
+				response.setContentType(getContentType());
+				response.getWriter().append(errorContent);
+			}
+		};
+		return new ModelAndView(errorView, model);
 	}
 }