From 0cdf202b10cd156dcb74695e79baf9426604634b Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Fri, 20 May 2011 19:27:37 +0100 Subject: [PATCH] SEC-1744: Do not trust authorities contained in the authentication request in JaasAuthenticationProvider. --- .../providers/jaas/JaasAuthenticationProvider.java | 8 ++------ .../jaas/JaasAuthenticationProviderTests.java | 12 +----------- 2 files changed, 3 insertions(+), 17 deletions(-) diff --git a/core/src/main/java/org/springframework/security/providers/jaas/JaasAuthenticationProvider.java b/core/src/main/java/org/springframework/security/providers/jaas/JaasAuthenticationProvider.java index 0f76980831..7c231c267a 100644 --- a/core/src/main/java/org/springframework/security/providers/jaas/JaasAuthenticationProvider.java +++ b/core/src/main/java/org/springframework/security/providers/jaas/JaasAuthenticationProvider.java @@ -158,7 +158,7 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli Assert.hasLength(loginContextName, "loginContextName must be set on " + getClass()); configureJaas(loginConfig); - + Assert.notNull(Configuration.getConfiguration(), "As per http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html " + "\"If a Configuration object was set via the Configuration.setConfiguration method, then that object is " @@ -189,13 +189,9 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli //Attempt to login the user, the LoginContext will call our InternalCallbackHandler at this point. loginContext.login(); - //create a set to hold the authorities, and add any that have already been applied. + //create a set to hold the authorities Set authorities = new HashSet(); - if (request.getAuthorities() != null) { - authorities.addAll(Arrays.asList(request.getAuthorities())); - } - //get the subject principals and pass them to each of the AuthorityGranters Set principals = loginContext.getSubject().getPrincipals(); diff --git a/core/src/test/java/org/springframework/security/providers/jaas/JaasAuthenticationProviderTests.java b/core/src/test/java/org/springframework/security/providers/jaas/JaasAuthenticationProviderTests.java index 5ebad58e0d..ca95cb3034 100644 --- a/core/src/test/java/org/springframework/security/providers/jaas/JaasAuthenticationProviderTests.java +++ b/core/src/test/java/org/springframework/security/providers/jaas/JaasAuthenticationProviderTests.java @@ -138,13 +138,7 @@ public class JaasAuthenticationProviderTests extends TestCase { } public void testFull() throws Exception { - GrantedAuthorityImpl role1 = new GrantedAuthorityImpl("ROLE_1"); - GrantedAuthorityImpl role2 = new GrantedAuthorityImpl("ROLE_2"); - - GrantedAuthority[] defaultAuths = new GrantedAuthority[] {role1, role2,}; - - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password", - defaultAuths); + UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password"); assertTrue(jaasProvider.supports(UsernamePasswordAuthenticationToken.class)); @@ -161,10 +155,6 @@ public class JaasAuthenticationProviderTests extends TestCase { assertTrue("GrantedAuthorities should contain ROLE_TEST2", list.contains(new GrantedAuthorityImpl("ROLE_TEST2"))); - assertTrue("GrantedAuthorities should contain ROLE_1", list.contains(role1)); - - assertTrue("GrantedAuthorities should contain ROLE_2", list.contains(role2)); - boolean foundit = false; for (int i = 0; i < list.size(); i++) {