SEC-1744: Do not trust authorities contained in the authentication request in JaasAuthenticationProvider.

core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java

@@ -182,7 +182,6 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli
 
             // Create a set to hold the authorities, and add any that have already been applied.
             authorities = new HashSet<GrantedAuthority>();
-            authorities.addAll(request.getAuthorities());
 
             // Get the subject principals and pass them to each of the AuthorityGranters
             Set<Principal> principals = loginContext.getSubject().getPrincipals();

core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java

@@ -179,7 +179,7 @@ public class JaasAuthenticationProviderTests {
 
     @Test
     public void testFull() throws Exception {
-        List<GrantedAuthority> defaultAuths = AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO");
+        List<GrantedAuthority> defaultAuths = AuthorityUtils.createAuthorityList("ROLE_ONE");
         UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password",
                 defaultAuths);
 
@@ -196,8 +196,7 @@ public class JaasAuthenticationProviderTests {
 
         assertTrue("GrantedAuthorities should contain ROLE_TEST1", list.contains(new GrantedAuthorityImpl("ROLE_TEST1")));
         assertTrue("GrantedAuthorities should contain ROLE_TEST2", list.contains(new GrantedAuthorityImpl("ROLE_TEST2")));
-        assertTrue("GrantedAuthorities should contain ROLE_1", list.contains(defaultAuths.get(0)));
+        assertFalse("GrantedAuthorities should not contain ROLE_ONE", list.contains(defaultAuths.get(0)));
-        assertTrue("GrantedAuthorities should contain ROLE_2", list.contains(defaultAuths.get(1)));
 
         boolean foundit = false;