Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-25 21:42:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1867: Perform null check on Authentication.getCredentials() prior to calling toString()

Browse Source
This commit is contained in:
Rob Winch 2011-12-30 13:59:04 -06:00
parent 448a42916d
commit 1f835fec43
4 changed files with 29 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProvider.java
View File

@ -57,7 +57,8 @@ public class RemoteAuthenticationProvider implements AuthenticationProvider, Ini
public Authentication authenticate(Authentication authentication) public Authentication authenticate(Authentication authentication)
throws AuthenticationException { throws AuthenticationException {
String username = authentication.getPrincipal().toString(); String username = authentication.getPrincipal().toString();
String password = authentication.getCredentials().toString(); Object credentials = authentication.getCredentials();
String password = credentials == null ? null : credentials.toString();
Collection<? extends GrantedAuthority> authorities = remoteAuthenticationManager.attemptAuthentication(username, password); Collection<? extends GrantedAuthority> authorities = remoteAuthenticationManager.attemptAuthentication(username, password);
return new UsernamePasswordAuthenticationToken(username, password, authorities); return new UsernamePasswordAuthenticationToken(username, password, authorities);

12
core/src/test/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProviderTests.java
View File

@ -21,6 +21,7 @@ import junit.framework.TestCase;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.authority.AuthorityUtils;
@ -77,6 +78,17 @@ public class RemoteAuthenticationProviderTests extends TestCase {
assertTrue(AuthorityUtils.authorityListToSet(result.getAuthorities()).contains("foo")); assertTrue(AuthorityUtils.authorityListToSet(result.getAuthorities()).contains("foo"));
} }
public void testNullCredentialsDoesNotCauseNullPointerException() {
RemoteAuthenticationProvider provider = new RemoteAuthenticationProvider();
provider.setRemoteAuthenticationManager(new MockRemoteAuthenticationManager(false));
try {
provider.authenticate(new UsernamePasswordAuthenticationToken("rod", null));
fail("Expected Exception");
} catch(RemoteAuthenticationException success) {}
}
public void testSupports() { public void testSupports() {
RemoteAuthenticationProvider provider = new RemoteAuthenticationProvider(); RemoteAuthenticationProvider provider = new RemoteAuthenticationProvider();
assertTrue(provider.supports(UsernamePasswordAuthenticationToken.class)); assertTrue(provider.supports(UsernamePasswordAuthenticationToken.class));

6
remoting/src/main/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocation.java
View File

@ -66,13 +66,17 @@ public class ContextPropagatingRemoteInvocation extends RemoteInvocation {
if (currentUser != null) { if (currentUser != null) {
principal = currentUser.getName(); principal = currentUser.getName();
credentials = currentUser.getCredentials().toString(); Object userCredentials = currentUser.getCredentials();
credentials = userCredentials == null ? null : userCredentials.toString();
} else { } else {
principal = credentials = null; principal = credentials = null;
} }
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
logger.debug("RemoteInvocation now has principal: " + principal); logger.debug("RemoteInvocation now has principal: " + principal);
if(credentials == null) {
logger.debug("RemoteInvocation now has null credentials.");
}
} }
} }

10
remoting/src/test/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocationTests.java
View File

@ -22,6 +22,7 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.util.SimpleMethodInvocation; import org.springframework.security.util.SimpleMethodInvocation;
import org.springframework.test.util.ReflectionTestUtils;
import java.lang.reflect.Method; import java.lang.reflect.Method;
@ -95,4 +96,13 @@ public class ContextPropagatingRemoteInvocationTests extends TestCase {
assertEquals("some_string Authentication empty", remoteInvocation.invoke(new TargetObject())); assertEquals("some_string Authentication empty", remoteInvocation.invoke(new TargetObject()));
} }
// SEC-1867
public void testNullCredentials() throws Exception {
Authentication clientSideAuthentication = new UsernamePasswordAuthenticationToken("rod", null);
SecurityContextHolder.getContext().setAuthentication(clientSideAuthentication);
ContextPropagatingRemoteInvocation remoteInvocation = getRemoteInvocation();
assertEquals(null, ReflectionTestUtils.getField(remoteInvocation, "credentials"));
}
} }