Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1975: Ignore anonymous users for AuthenticationSimpleHttpInvokerRequestExecutor 

Previously anonymous authentication was submitted as credentials over the wire which
caused the applications to attempt to authenticate the anonymous user.

Now if the user is anonymous (determined by the AuthenticationTrustResolver), the
AuthenticationSimpleHttpInvokerRequestExecutor does not populate any credentials.
This commit is contained in:
Rob Winch 2012-08-09 09:56:07 -05:00
parent 1ab068a06d
commit 25248c7536
2 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
remoting/src/main/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java
View File

@ -21,6 +21,8 @@ import java.net.HttpURLConnection;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.remoting.httpinvoker.SimpleHttpInvokerRequestExecutor;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.core.Authentication;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.core.context.SecurityContextHolder;
@ -30,12 +32,17 @@ import org.springframework.security.core.context.SecurityContextHolder;
* Adds BASIC authentication support to <code>SimpleHttpInvokerRequestExecutor</code>.
*
* @author Ben Alex
* @author Rob Winch
*/
public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpInvokerRequestExecutor {
//~ Static fields/initializers =====================================================================================
private static final Log logger = LogFactory.getLog(AuthenticationSimpleHttpInvokerRequestExecutor.class);
//~ Instance fields ================================================================================================
private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
//~ Methods ========================================================================================================
/**
@ -65,7 +72,7 @@ public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpIn
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if ((auth != null) && (auth.getName() != null) && (auth.getCredentials() != null)) {
if ((auth != null) && (auth.getName() != null) && (auth.getCredentials() != null) && !trustResolver.isAnonymous(auth)) {
String base64 = auth.getName() + ":" + auth.getCredentials().toString();
con.setRequestProperty("Authorization", "Basic " + new String(Base64.encode(base64.getBytes())));

19
remoting/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java
View File

@ -18,8 +18,10 @@ package org.springframework.security.remoting.httpinvoker;
import junit.framework.TestCase;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor;
@ -37,6 +39,7 @@ import java.util.Map;
* Tests {@link AuthenticationSimpleHttpInvokerRequestExecutor}.
*
* @author Ben Alex
* @author Rob Winch
*/
public class AuthenticationSimpleHttpInvokerRequestExecutorTests extends TestCase {
@ -77,6 +80,22 @@ public class AuthenticationSimpleHttpInvokerRequestExecutorTests extends TestCas
assertNull(conn.getRequestProperty("Authorization"));
}
// SEC-1975
public void testNullContextHolderWhenAnonymous() throws Exception {
AnonymousAuthenticationToken anonymous = new AnonymousAuthenticationToken("key", "principal",
AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
SecurityContextHolder.getContext().setAuthentication(anonymous);
// Create a connection and ensure our executor sets its
// properties correctly
AuthenticationSimpleHttpInvokerRequestExecutor executor = new AuthenticationSimpleHttpInvokerRequestExecutor();
HttpURLConnection conn = new MockHttpURLConnection(new URL("http://localhost/"));
executor.prepareConnection(conn, 10);
// Check connection properties (shouldn't be an Authorization header)
assertNull(conn.getRequestProperty("Authorization"));
}
//~ Inner Classes ==================================================================================================
private class MockHttpURLConnection extends HttpURLConnection {