From 25248c75369756b2c1d80b5b7e0b14b5a9a9c09d Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Thu, 9 Aug 2012 09:56:07 -0500 Subject: [PATCH] SEC-1975: Ignore anonymous users for AuthenticationSimpleHttpInvokerRequestExecutor Previously anonymous authentication was submitted as credentials over the wire which caused the applications to attempt to authenticate the anonymous user. Now if the user is anonymous (determined by the AuthenticationTrustResolver), the AuthenticationSimpleHttpInvokerRequestExecutor does not populate any credentials. --- ...ationSimpleHttpInvokerRequestExecutor.java | 9 ++++++++- ...SimpleHttpInvokerRequestExecutorTests.java | 19 +++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/remoting/src/main/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java b/remoting/src/main/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java index ab32218d63..b9c00c253e 100644 --- a/remoting/src/main/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java +++ b/remoting/src/main/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java @@ -21,6 +21,8 @@ import java.net.HttpURLConnection; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.remoting.httpinvoker.SimpleHttpInvokerRequestExecutor; +import org.springframework.security.authentication.AuthenticationTrustResolver; +import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.security.core.Authentication; import org.springframework.security.crypto.codec.Base64; import org.springframework.security.core.context.SecurityContextHolder; @@ -30,12 +32,17 @@ import org.springframework.security.core.context.SecurityContextHolder; * Adds BASIC authentication support to SimpleHttpInvokerRequestExecutor. * * @author Ben Alex + * @author Rob Winch */ public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpInvokerRequestExecutor { //~ Static fields/initializers ===================================================================================== private static final Log logger = LogFactory.getLog(AuthenticationSimpleHttpInvokerRequestExecutor.class); + //~ Instance fields ================================================================================================ + + private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); + //~ Methods ======================================================================================================== /** @@ -65,7 +72,7 @@ public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpIn Authentication auth = SecurityContextHolder.getContext().getAuthentication(); - if ((auth != null) && (auth.getName() != null) && (auth.getCredentials() != null)) { + if ((auth != null) && (auth.getName() != null) && (auth.getCredentials() != null) && !trustResolver.isAnonymous(auth)) { String base64 = auth.getName() + ":" + auth.getCredentials().toString(); con.setRequestProperty("Authorization", "Basic " + new String(Base64.encode(base64.getBytes()))); diff --git a/remoting/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java b/remoting/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java index d32d1665d5..0990a2bccb 100644 --- a/remoting/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java +++ b/remoting/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java @@ -18,8 +18,10 @@ package org.springframework.security.remoting.httpinvoker; import junit.framework.TestCase; +import org.springframework.security.authentication.AnonymousAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; +import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor; @@ -37,6 +39,7 @@ import java.util.Map; * Tests {@link AuthenticationSimpleHttpInvokerRequestExecutor}. * * @author Ben Alex + * @author Rob Winch */ public class AuthenticationSimpleHttpInvokerRequestExecutorTests extends TestCase { @@ -77,6 +80,22 @@ public class AuthenticationSimpleHttpInvokerRequestExecutorTests extends TestCas assertNull(conn.getRequestProperty("Authorization")); } + // SEC-1975 + public void testNullContextHolderWhenAnonymous() throws Exception { + AnonymousAuthenticationToken anonymous = new AnonymousAuthenticationToken("key", "principal", + AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")); + SecurityContextHolder.getContext().setAuthentication(anonymous); + + // Create a connection and ensure our executor sets its + // properties correctly + AuthenticationSimpleHttpInvokerRequestExecutor executor = new AuthenticationSimpleHttpInvokerRequestExecutor(); + HttpURLConnection conn = new MockHttpURLConnection(new URL("http://localhost/")); + executor.prepareConnection(conn, 10); + + // Check connection properties (shouldn't be an Authorization header) + assertNull(conn.getRequestProperty("Authorization")); + } + //~ Inner Classes ================================================================================================== private class MockHttpURLConnection extends HttpURLConnection {