SEC-633: Handle null credentials in AbstractAuthenticationToken.equals

Also added a test for the OpenIDAuthenticationToken to reproduce the original error.

core/src/main/java/org/springframework/security/providers/AbstractAuthenticationToken.java

@@ -17,9 +17,7 @@ package org.springframework.security.providers;
 
 import org.springframework.security.Authentication;
 import org.springframework.security.GrantedAuthority;
-
 import org.springframework.security.userdetails.UserDetails;
-
 import org.springframework.util.Assert;
 
 
@@ -47,23 +45,24 @@ public abstract class AbstractAuthenticationToken implements Authentication {
      * @deprecated in favour of the constructor which takes a
      *             <code>GrantedAuthority[]</code> argument.
      */
-    public AbstractAuthenticationToken() {}
+    public AbstractAuthenticationToken() {
+    }
 
     /**
      * Creates a token with the supplied array of authorities.
      *
      * @param authorities the list of <tt>GrantedAuthority</tt>s for the
-     *        principal represented by this authentication object. A
+     *                    principal represented by this authentication object. A
-     *        <code>null</code> value indicates that no authorities have been
+     *                    <code>null</code> value indicates that no authorities have been
-     *        granted (pursuant to the interface contract specified by {@link
+     *                    granted (pursuant to the interface contract specified by {@link
-     *        Authentication#getAuthorities()}<code>null</code> should only be
+     *                    Authentication#getAuthorities()}<code>null</code> should only be
-     *        presented if the principal has not been authenticated).
+     *                    presented if the principal has not been authenticated).
      */
     public AbstractAuthenticationToken(GrantedAuthority[] authorities) {
         if (authorities != null) {
             for (int i = 0; i < authorities.length; i++) {
                 Assert.notNull(authorities[i],
-                    "Granted authority element " + i + " is null - GrantedAuthority[] cannot contain any null elements");
+                        "Granted authority element " + i + " is null - GrantedAuthority[] cannot contain any null elements");
             }
         }
 
@@ -104,9 +103,16 @@ public abstract class AbstractAuthenticationToken implements Authentication {
                 return false;
             }
 
+            if ((this.getCredentials() == null) && (test.getCredentials() != null)) {
+                return false;
+            }
+
+            if ((this.getCredentials() != null) && !this.getCredentials().equals(test.getCredentials())) {
+                return false;
+            }
+
             return (this.getPrincipal().equals(test.getPrincipal())
-            && this.getCredentials().equals(test.getCredentials())
+                    && (this.isAuthenticated() == test.isAuthenticated()));
-            && (this.isAuthenticated() == test.isAuthenticated()));
         }
 
         return false;

sandbox/openid/src/test/java/org/springframework/security/providers/openid/OpenIdAuthenticationTokenTests.java

@@ -0,0 +1,25 @@
+package org.springframework.security.providers.openid;
+
+import junit.framework.TestCase;
+
+/**
+ * DOCUMENT ME!
+ *
+ * @author Ray Krueger
+ */
+public class OpenIdAuthenticationTokenTests extends TestCase {
+
+    public void test() throws Exception {
+        OpenIDAuthenticationToken token = newToken();
+        assertEquals(token, newToken());
+    }
+
+    private OpenIDAuthenticationToken newToken() {
+        return new OpenIDAuthenticationToken(
+                OpenIDAuthenticationStatus.SUCCESS,
+                "http://raykrueger.blogspot.com/",
+                "what is this for anyway?");
+    }
+
+
+}