SEC-53: BasicProcessingFilter only to reauthenticate if the SecurityContextHolder contains an unauthenticated Authentication, or an Authentication with a different username.

This commit is contained in:
Ben Alex 2005-11-03 09:45:30 +00:00
parent 690ab27a52
commit d9be0f86fd
2 changed files with 51 additions and 36 deletions

View File

@ -12,6 +12,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.sf.acegisecurity.ui.basicauth;
import net.sf.acegisecurity.Authentication;
@ -101,10 +102,17 @@ import javax.servlet.http.HttpServletResponse;
* @version $Id$
*/
public class BasicProcessingFilter implements Filter, InitializingBean {
//~ Static fields/initializers =============================================
private static final Log logger = LogFactory.getLog(BasicProcessingFilter.class);
//~ Instance fields ========================================================
private AuthenticationEntryPoint authenticationEntryPoint;
private AuthenticationManager authenticationManager;
//~ Methods ================================================================
public void setAuthenticationEntryPoint(
AuthenticationEntryPoint authenticationEntryPoint) {
this.authenticationEntryPoint = authenticationEntryPoint;
@ -130,8 +138,7 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
"An AuthenticationEntryPoint is required");
}
public void destroy() {
}
public void destroy() {}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
@ -165,40 +172,47 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
password = token.substring(delim + 1);
}
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
password);
authRequest.setDetails(new WebAuthenticationDetails(httpRequest,
false));
// Only reauthenticate if username doesn't match ContextHolder and user isn't authenticated (see SEC-53)
Authentication existingAuth = SecurityContextHolder.getContext()
.getAuthentication();
Authentication authResult;
if ((existingAuth == null)
|| !existingAuth.getName().equals(username)
|| !existingAuth.isAuthenticated()) {
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
password);
authRequest.setDetails(new WebAuthenticationDetails(
httpRequest, false));
try {
authResult = authenticationManager.authenticate(authRequest);
} catch (AuthenticationException failed) {
// Authentication failed
if (logger.isDebugEnabled()) {
logger.debug("Authentication request for user: " +
username + " failed: " + failed.toString());
Authentication authResult;
try {
authResult = authenticationManager.authenticate(authRequest);
} catch (AuthenticationException failed) {
// Authentication failed
if (logger.isDebugEnabled()) {
logger.debug("Authentication request for user: "
+ username + " failed: " + failed.toString());
}
SecurityContextHolder.getContext().setAuthentication(null);
authenticationEntryPoint.commence(request, response, failed);
return;
}
SecurityContextHolder.getContext().setAuthentication(null);
authenticationEntryPoint.commence(request, response, failed);
// Authentication success
if (logger.isDebugEnabled()) {
logger.debug("Authentication success: "
+ authResult.toString());
}
return;
SecurityContextHolder.getContext().setAuthentication(authResult);
}
// Authentication success
if (logger.isDebugEnabled()) {
logger.debug("Authentication success: " +
authResult.toString());
}
SecurityContextHolder.getContext().setAuthentication(authResult);
}
chain.doFilter(request, response);
}
public void init(FilterConfig arg0) throws ServletException {
}
public void init(FilterConfig arg0) throws ServletException {}
}

View File

@ -183,6 +183,7 @@ public class BasicProcessingFilterTests extends TestCase {
MockHttpServletResponse response = new MockHttpServletResponse();
// Test
assertNull(SecurityContextHolder.getContext().getAuthentication());
executeFilterInContainerSimulator(config, filter, request, response,
chain);
@ -280,7 +281,7 @@ public class BasicProcessingFilterTests extends TestCase {
// NOW PERFORM FAILED AUTHENTICATION
// Setup our HTTP request
token = "marissa:WRONG_PASSWORD";
token = "otherUser:WRONG_PASSWORD";
request = new MockHttpServletRequest();
request.addHeader("Authorization",
"Basic " + new String(Base64.encodeBase64(token.getBytes())));