Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1867: Perform null check on Authentication.getCredentials() prior to calling toString()

This commit is contained in:
Rob Winch 2011-12-30 13:59:04 -06:00
parent 448a42916d
commit 1f835fec43
4 changed files with 29 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProvider.java
View File

@ -57,7 +57,8 @@ public class RemoteAuthenticationProvider implements AuthenticationProvider, Ini
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
String username = authentication.getPrincipal().toString();
String password = authentication.getCredentials().toString();
Object credentials = authentication.getCredentials();
String password = credentials == null ? null : credentials.toString();
Collection<? extends GrantedAuthority> authorities = remoteAuthenticationManager.attemptAuthentication(username, password);
return new UsernamePasswordAuthenticationToken(username, password, authorities);

12
core/src/test/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProviderTests.java
View File

@ -21,6 +21,7 @@ import junit.framework.TestCase;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
@ -77,6 +78,17 @@ public class RemoteAuthenticationProviderTests extends TestCase {
assertTrue(AuthorityUtils.authorityListToSet(result.getAuthorities()).contains("foo"));
}
public void testNullCredentialsDoesNotCauseNullPointerException() {
RemoteAuthenticationProvider provider = new RemoteAuthenticationProvider();
provider.setRemoteAuthenticationManager(new MockRemoteAuthenticationManager(false));
try {
provider.authenticate(new UsernamePasswordAuthenticationToken("rod", null));
fail("Expected Exception");
} catch(RemoteAuthenticationException success) {}
}
public void testSupports() {
RemoteAuthenticationProvider provider = new RemoteAuthenticationProvider();
assertTrue(provider.supports(UsernamePasswordAuthenticationToken.class));

6
remoting/src/main/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocation.java
View File

@ -66,13 +66,17 @@ public class ContextPropagatingRemoteInvocation extends RemoteInvocation {
if (currentUser != null) {
principal = currentUser.getName();
credentials = currentUser.getCredentials().toString();
Object userCredentials = currentUser.getCredentials();
credentials = userCredentials == null ? null : userCredentials.toString();
} else {
principal = credentials = null;
}
if (logger.isDebugEnabled()) {
logger.debug("RemoteInvocation now has principal: " + principal);
if(credentials == null) {
logger.debug("RemoteInvocation now has null credentials.");
}
}
}

10
remoting/src/test/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocationTests.java
View File

@ -22,6 +22,7 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.util.SimpleMethodInvocation;
import org.springframework.test.util.ReflectionTestUtils;
import java.lang.reflect.Method;
@ -95,4 +96,13 @@ public class ContextPropagatingRemoteInvocationTests extends TestCase {
assertEquals("some_string Authentication empty", remoteInvocation.invoke(new TargetObject()));
}
// SEC-1867
public void testNullCredentials() throws Exception {
Authentication clientSideAuthentication = new UsernamePasswordAuthenticationToken("rod", null);
SecurityContextHolder.getContext().setAuthentication(clientSideAuthentication);
ContextPropagatingRemoteInvocation remoteInvocation = getRemoteInvocation();
assertEquals(null, ReflectionTestUtils.getField(remoteInvocation, "credentials"));
}
}