SEC-53: BasicProcessingFilter only to reauthenticate if the SecurityContextHolder contains an unauthenticated Authentication, or an Authentication with a different username.

2005-11-03 09:45:30 +00:00 · 2005-11-03 09:45:30 +00:00 · d9be0f86fd
parent 690ab27a52
commit d9be0f86fd
2 changed files with 51 additions and 36 deletions
--- a/core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java
+++ b/core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java
@ -12,6 +12,7 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
+
 package net.sf.acegisecurity.ui.basicauth;

 import net.sf.acegisecurity.Authentication;
@ -101,10 +102,17 @@ import javax.servlet.http.HttpServletResponse;
 * @version $Id$
 */
 public class BasicProcessingFilter implements Filter, InitializingBean {
+    //~ Static fields/initializers =============================================
+
    private static final Log logger = LogFactory.getLog(BasicProcessingFilter.class);
+
+    //~ Instance fields ========================================================
+
    private AuthenticationEntryPoint authenticationEntryPoint;
    private AuthenticationManager authenticationManager;

+    //~ Methods ================================================================
+
    public void setAuthenticationEntryPoint(
        AuthenticationEntryPoint authenticationEntryPoint) {
        this.authenticationEntryPoint = authenticationEntryPoint;
@ -130,8 +138,7 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
            "An AuthenticationEntryPoint is required");
    }

-    public void destroy() {
-    }
+    public void destroy() {}

    public void doFilter(ServletRequest request, ServletResponse response,
        FilterChain chain) throws IOException, ServletException {
@ -165,10 +172,17 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
                password = token.substring(delim + 1);
            }

+            // Only reauthenticate if username doesn't match ContextHolder and user isn't authenticated (see SEC-53)
+            Authentication existingAuth = SecurityContextHolder.getContext()
+                                                               .getAuthentication();
+
+            if ((existingAuth == null)
+                || !existingAuth.getName().equals(username)
+                || !existingAuth.isAuthenticated()) {
                UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
                        password);
-            authRequest.setDetails(new WebAuthenticationDetails(httpRequest,
-                    false));
+                authRequest.setDetails(new WebAuthenticationDetails(
+                        httpRequest, false));

                Authentication authResult;

@ -177,8 +191,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
                } catch (AuthenticationException failed) {
                    // Authentication failed
                    if (logger.isDebugEnabled()) {
-                    logger.debug("Authentication request for user: " +
-                        username + " failed: " + failed.toString());
+                        logger.debug("Authentication request for user: "
+                            + username + " failed: " + failed.toString());
                    }

                    SecurityContextHolder.getContext().setAuthentication(null);
@ -189,16 +203,16 @@ public class BasicProcessingFilter implements Filter, InitializingBean {

                // Authentication success
                if (logger.isDebugEnabled()) {
-                logger.debug("Authentication success: " +
-                    authResult.toString());
+                    logger.debug("Authentication success: "
+                        + authResult.toString());
                }

                SecurityContextHolder.getContext().setAuthentication(authResult);
            }
+        }

        chain.doFilter(request, response);
    }

-    public void init(FilterConfig arg0) throws ServletException {
-    }
+    public void init(FilterConfig arg0) throws ServletException {}
 }
--- a/core/src/test/java/org/acegisecurity/ui/basicauth/BasicProcessingFilterTests.java
+++ b/core/src/test/java/org/acegisecurity/ui/basicauth/BasicProcessingFilterTests.java
@ -183,6 +183,7 @@ public class BasicProcessingFilterTests extends TestCase {
        MockHttpServletResponse response = new MockHttpServletResponse();

        // Test
+        assertNull(SecurityContextHolder.getContext().getAuthentication());
        executeFilterInContainerSimulator(config, filter, request, response,
            chain);

@ -280,7 +281,7 @@ public class BasicProcessingFilterTests extends TestCase {

        // NOW PERFORM FAILED AUTHENTICATION
        // Setup our HTTP request
-        token = "marissa:WRONG_PASSWORD";
+        token = "otherUser:WRONG_PASSWORD";
        request = new MockHttpServletRequest();
        request.addHeader("Authorization",
            "Basic " + new String(Base64.encodeBase64(token.getBytes())));