SEC-1466: Report error if authentication-provider element has child elements when used with "ref" attribute.

config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParser.java

@@ -25,6 +25,8 @@ import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
+import com.sun.tools.internal.xjc.util.DOMUtils;
+
 /**
  * Registers the central ProviderManager used by the namespace configuration, and allows the configuration of an
  * alias, allowing users to reference it in their beans and clearly see where the name is
@@ -56,6 +58,10 @@ public class AuthenticationManagerBeanDefinitionParser implements BeanDefinition
             if (node instanceof Element) {
                 Element providerElt = (Element)node;
                 if (StringUtils.hasText(providerElt.getAttribute(ATT_REF))) {
+                    if (DOMUtils.getChildElements(providerElt).length > 0) {
+                        pc.getReaderContext().error("authentication-provider element cannot have children when used " +
+                                "with 'ref' atribute", pc.extractSource(element));
+                    }
                     providers.add(new RuntimeBeanReference(providerElt.getAttribute(ATT_REF)));
                 } else {
                     BeanDefinition provider = resolver.resolve(providerElt.getNamespaceURI()).parse(providerElt, pc);

config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java

@@ -11,6 +11,7 @@ import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.authentication.AuthenticationProviderBeanDefinitionParser;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
 import org.springframework.security.util.FieldUtils;
+import org.springframework.beans.factory.parsing.BeanDefinitionParsingException;
 import org.springframework.context.support.AbstractXmlApplicationContext;
 
 import org.junit.Test;
@@ -129,6 +130,20 @@ public class AuthenticationProviderBeanDefinitionParserTests {
         getProvider().authenticate(bob);
     }
 
+    // SEC-1466
+    @Test(expected=BeanDefinitionParsingException.class)
+    public void exernalProviderDoesNotSupportChildElements() throws Exception {
+        appContext = new InMemoryXmlApplicationContext(
+                "    <authentication-manager>" +
+                "      <authentication-provider ref='aProvider'>" +
+                "        <password-encoder ref='customPasswordEncoder'/>" +
+                "      </authentication-provider>" +
+                "    </authentication-manager>" +
+                "    <b:bean id='aProvider' class='org.springframework.security.authentication.TestingAuthenticationProvider'/>" +
+                "    <b:bean id='customPasswordEncoder' " +
+                "        class='org.springframework.security.authentication.encoding.Md5PasswordEncoder'/>");
+    }
+
     private AuthenticationProvider getProvider() {
         List<AuthenticationProvider> providers =
                 ((ProviderManager)appContext.getBean(BeanIds.AUTHENTICATION_MANAGER)).getProviders();