SECOAUTH-308: re-order validation and auto-approval

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.java

@@ -119,6 +119,13 @@ public ModelAndView authorize(Map<String, Object> model, @RequestParam("response
 			}
 
 			resolveRedirectUriAndCheckApproval(authorizationRequest, (Authentication) principal);
+
+			// We intentionally only validate the parameters requested by the client (ignoring any data that may have
+			// been added to the request by the factory).
+			getParametersValidator().validateParameters(parameters,
+					getClientDetailsService().loadClientByClientId(authorizationRequest.getClientId()));
+
+			// Validation is all done, so we can check fopr auto approval...
 			if (authorizationRequest.isApproved()) {
 				if (responseTypes.contains("token")) {
 					return getImplicitGrantResponse(authorizationRequest);
@@ -129,11 +136,6 @@ public ModelAndView authorize(Map<String, Object> model, @RequestParam("response
 				}
 			}
 
-			// We intentionally only validate the parameters requested by the client (ignoring any data that may have
-			// been added to the request by the factory).
-			getParametersValidator().validateParameters(parameters,
-					getClientDetailsService().loadClientByClientId(authorizationRequest.getClientId()));
-
 			// Place auth request into the model so that it is stored in the session
 			// for approveOrDeny to use. That way we make sure that auth request comes from the session,
 			// so any auth request parameters passed to approveOrDeny will be ignored and retrieved from the session.

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultScopeValidator.java

@@ -11,7 +11,6 @@
  * specific language governing permissions and limitations under the License.
  */
 
-
 package org.springframework.security.oauth2.provider.endpoint;
 
 import java.util.Map;
@@ -21,6 +20,13 @@
 import org.springframework.security.oauth2.common.util.OAuth2Utils;
 import org.springframework.security.oauth2.provider.ClientDetails;
 
+/**
+ * Default implementation of {@link ParametersValidator} that checks the scopes requested (if any) do not exceed those
+ * permitted by the client registration.
+ * 
+ * @author Dave Syer
+ * 
+ */
 public class DefaultScopeValidator implements ParametersValidator {
 
 	public void validateParameters(Map<String, String> parameters, ClientDetails clientDetails) {

spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/TestAuthorizationEndpoint.java

@@ -182,6 +182,27 @@ public boolean isApproved(AuthorizationRequest authenticationRequest, Authentica
 		assertTrue("Wrong state: " + result, url.contains("&state=mystate"));
 	}
 
+	@Test(expected=InvalidScopeException.class)
+	public void testImplicitPreApprovedButInvalid() throws Exception {
+		endpoint.setTokenGranter(new TokenGranter() {
+			public OAuth2AccessToken grant(String grantType, AuthorizationRequest authorizationRequest) {
+				throw new IllegalStateException("Shouldn't be called");
+			}
+		});
+		endpoint.setUserApprovalHandler(new UserApprovalHandler() {
+			public boolean isApproved(AuthorizationRequest authenticationRequest, Authentication userAuthentication) {
+				return true;
+			}
+		});
+		client.setScope(Collections.singleton("smallscope"));
+		AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "http://anywhere.com", "mystate",
+				"bigscope");
+		ModelAndView result = endpoint.authorize(model, "token", authorizationRequest.getAuthorizationParameters(),
+				sessionStatus, principal);
+		String url = ((RedirectView) result.getView()).getUrl();
+		assertTrue("Wrong view: " + result, url.startsWith("http://anywhere.com"));
+	}
+
 	@Test
 	public void testImplicitUnapproved() throws Exception {
 		endpoint.setTokenGranter(new TokenGranter() {