SEC-723: Change PreAuthenticatedAuthenticationProvider to reject authentication tokens with null credentials. Also introduced a property "throwExceptionWhenTokenIsRejected" which raises a BadCredentialsException when the toke is invalid.

2025-10-31 06:38:42 +00:00 · 2008-03-18 18:29:48 +00:00 · 2008-03-18 18:29:48 +00:00 · c9ff912b2f
commit c9ff912b2f
parent 163fb1052f
1 changed files with 27 additions and 3 deletions
--- a/core/src/main/java/org/springframework/security/providers/preauth/PreAuthenticatedAuthenticationProvider.java
+++ b/core/src/main/java/org/springframework/security/providers/preauth/PreAuthenticatedAuthenticationProvider.java
@ -3,6 +3,7 @@ package org.springframework.security.providers.preauth;
 import org.springframework.security.providers.AuthenticationProvider;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationException;
+import org.springframework.security.BadCredentialsException;
 import org.springframework.security.userdetails.UserDetails;
 import org.springframework.security.userdetails.UserDetailsChecker;
 import org.springframework.security.userdetails.checker.AccountStatusUserDetailsChecker;
@ -32,7 +33,8 @@ public class PreAuthenticatedAuthenticationProvider implements AuthenticationPro
    private static final Log logger = LogFactory.getLog(PreAuthenticatedAuthenticationProvider.class);

    private AuthenticationUserDetailsService preAuthenticatedUserDetailsService = null;
-    private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker();    
+    private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker(); 
+    private boolean throwExceptionWhenTokenRejected = false;

    private int order = -1; // default: same as non-ordered

@ -40,7 +42,7 @@ public class PreAuthenticatedAuthenticationProvider implements AuthenticationPro
     * Check whether all required properties have been set.
     */
    public void afterPropertiesSet() {
-        Assert.notNull(preAuthenticatedUserDetailsService, "A AuthenticationUserDetailsService must be set");
+        Assert.notNull(preAuthenticatedUserDetailsService, "An AuthenticationUserDetailsService must be set");
    }

    /**
@ -58,11 +60,24 @@ public class PreAuthenticatedAuthenticationProvider implements AuthenticationPro
            logger.debug("PreAuthenticated authentication request: " + authentication);
        }

-        if(authentication.getPrincipal() == null) {
+        if (authentication.getPrincipal() == null) {
            logger.debug("No pre-authenticated principal found in request.");
+            
+            if (throwExceptionWhenTokenRejected) {
+                throw new BadCredentialsException("No pre-authenticated principal found in request.");
+            }
            return null;
        }

+        if (authentication.getCredentials() == null) {
+            logger.debug("No pre-authenticated credentials found in request.");
+
+            if (throwExceptionWhenTokenRejected) {
+                throw new BadCredentialsException("No pre-authenticated credentials found in request.");
+            }            
+            return null;
+        }
+        
        UserDetails ud = preAuthenticatedUserDetailsService.loadUserDetails(authentication);

        userDetailsChecker.check(ud);
@ -98,4 +113,13 @@ public class PreAuthenticatedAuthenticationProvider implements AuthenticationPro
    public void setOrder(int i) {
        order = i;
    }
+
+    /** 
+     * If true, causes the provider to throw a BadCredentialsException if the presented authentication 
+     * request is invalid (contains a null principal or credentials). Otherwise it will just return 
+     * null.  
+     */    
+    public void setThrowExceptionWhenTokenRejected(boolean throwExceptionWhenTokenRejected) {
+        this.throwExceptionWhenTokenRejected = throwExceptionWhenTokenRejected;
+    }
 }