From 5c73816a1a7ad6d0306416361f34d32514696a63 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Tue, 27 Oct 2015 13:56:51 -0500 Subject: [PATCH] SEC-3108: DigestAuthenticationFilter should use SecurityContextHolder.createEmptyContext() --- .../www/DigestAuthenticationFilter.java | 7 +++- .../www/DigestAuthenticationFilterTests.java | 40 +++++++++++++++++-- 2 files changed, 42 insertions(+), 5 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java b/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java index 02947e5179..b39123d25f 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java @@ -38,6 +38,7 @@ import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.SpringSecurityMessageSource; import org.springframework.security.crypto.codec.Base64; +import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserCache; import org.springframework.security.core.userdetails.UserDetails; @@ -224,8 +225,10 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements + "' with response: '" + digestAuth.getResponse() + "'"); } - SecurityContextHolder.getContext().setAuthentication( - createSuccessfulAuthentication(request, user)); + Authentication authentication = createSuccessfulAuthentication(request, user); + SecurityContext context = SecurityContextHolder.createEmptyContext(); + context.setAuthentication(authentication); + SecurityContextHolder.setContext(context); chain.doFilter(request, response); } diff --git a/web/src/test/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilterTests.java index 04659b40b7..3b136be7cb 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilterTests.java @@ -15,11 +15,20 @@ package org.springframework.security.web.authentication.www; -import static org.junit.Assert.*; -import static org.mockito.Mockito.*; +import static org.fest.assertions.Assertions.*; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; import java.io.IOException; -import java.util.*; +import java.util.Map; + import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.ServletException; @@ -32,7 +41,9 @@ import org.junit.Before; import org.junit.Test; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; @@ -473,4 +484,27 @@ public class DigestAuthenticationFilterTests { assertNull(SecurityContextHolder.getContext().getAuthentication()); assertEquals(401, response.getStatus()); } + + // SEC-3108 + @Test + public void authenticationCreatesEmptyContext() throws Exception { + SecurityContext existingContext = SecurityContextHolder.createEmptyContext(); + TestingAuthenticationToken existingAuthentication = new TestingAuthenticationToken("existingauthenitcated", "pass", "ROLE_USER"); + existingContext.setAuthentication(existingAuthentication); + + SecurityContextHolder.setContext(existingContext); + + String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM, + PASSWORD, "GET", REQUEST_URI, QOP, NONCE, NC, CNONCE); + + request.addHeader( + "Authorization", + createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI, + responseDigest, QOP, NC, CNONCE)); + + filter.setCreateAuthenticatedToken(true); + executeFilterInContainerSimulator(filter, request, true); + + assertThat(existingAuthentication).isSameAs(existingContext.getAuthentication()); + } }