From 56deb3dd83c87d897edfe78883d67428d3424d2b Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Fri, 14 Sep 2007 14:25:21 +0000 Subject: [PATCH] SEC-549: Trim whitespace from username submitted with login form. --- .../webapp/AuthenticationProcessingFilter.java | 4 +++- .../AuthenticationProcessingFilterTests.java | 17 +++++++++++++++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/core/src/main/java/org/acegisecurity/ui/webapp/AuthenticationProcessingFilter.java b/core/src/main/java/org/acegisecurity/ui/webapp/AuthenticationProcessingFilter.java index a867489462..d6dd8a438c 100644 --- a/core/src/main/java/org/acegisecurity/ui/webapp/AuthenticationProcessingFilter.java +++ b/core/src/main/java/org/acegisecurity/ui/webapp/AuthenticationProcessingFilter.java @@ -68,6 +68,8 @@ public class AuthenticationProcessingFilter extends AbstractProcessingFilter { password = ""; } + username = username.trim(); + UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); // Place the last username attempted into HttpSession for views @@ -145,7 +147,7 @@ public class AuthenticationProcessingFilter extends AbstractProcessingFilter { * @param passwordParameter the parameter name. Defaults to "j_password". */ public void setPasswordParameter(String passwordParameter) { - Assert.hasText(passwordParameter, "Password parameter must not be empty or null"); + Assert.hasText(passwordParameter, "Password parameter must not be empty or null"); this.passwordParameter = passwordParameter; } } diff --git a/core/src/test/java/org/acegisecurity/ui/webapp/AuthenticationProcessingFilterTests.java b/core/src/test/java/org/acegisecurity/ui/webapp/AuthenticationProcessingFilterTests.java index 24b031ba77..8964a9f0f2 100644 --- a/core/src/test/java/org/acegisecurity/ui/webapp/AuthenticationProcessingFilterTests.java +++ b/core/src/test/java/org/acegisecurity/ui/webapp/AuthenticationProcessingFilterTests.java @@ -92,7 +92,7 @@ public class AuthenticationProcessingFilterTests extends TestCase { AuthenticationProcessingFilter filter = new AuthenticationProcessingFilter(); filter.setAuthenticationManager(new MockAuthenticationManager(true)); filter.setUsernameParameter("x"); - filter.setPasswordParameter("y"); + filter.setPasswordParameter("y"); filter.init(null); MockHttpServletRequest request = new MockHttpServletRequest(); @@ -101,6 +101,19 @@ public class AuthenticationProcessingFilterTests extends TestCase { Authentication result = filter.attemptAuthentication(request); assertTrue(result != null); - assertEquals("127.0.0.1", ((WebAuthenticationDetails) result.getDetails()).getRemoteAddress()); + assertEquals("127.0.0.1", ((WebAuthenticationDetails) result.getDetails()).getRemoteAddress()); + } + + public void testSpacesAreTrimmedCorrectlyFromUsername() throws Exception { + MockHttpServletRequest request = new MockHttpServletRequest(); + request.addParameter(AuthenticationProcessingFilter.ACEGI_SECURITY_FORM_USERNAME_KEY, " marissa "); + request.addParameter(AuthenticationProcessingFilter.ACEGI_SECURITY_FORM_PASSWORD_KEY, "koala"); + + AuthenticationProcessingFilter filter = new AuthenticationProcessingFilter(); + filter.setAuthenticationManager(new MockAuthenticationManager(true)); + filter.init(null); + + Authentication result = filter.attemptAuthentication(request); + assertEquals("marissa", result.getName()); } }