GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-1744: Do not trust authorities contained in the authentication request in JaasAuthenticationProvider.

2.0.x
Luke Taylor 15 years ago
parent
a507e3612a
commit
0cdf202b10
2 changed files with 3 additions and 17 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      core/src/main/java/org/springframework/security/providers/jaas/JaasAuthenticationProvider.java
  2. 12
      core/src/test/java/org/springframework/security/providers/jaas/JaasAuthenticationProviderTests.java

8
core/src/main/java/org/springframework/security/providers/jaas/JaasAuthenticationProvider.java
Unescape View File

@ -158,7 +158,7 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli @@ -158,7 +158,7 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli
Assert.hasLength(loginContextName, "loginContextName must be set on " + getClass());
configureJaas(loginConfig);
Assert.notNull(Configuration.getConfiguration(),
"As per http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html "
+ "\"If a Configuration object was set via the Configuration.setConfiguration method, then that object is "
@ -189,13 +189,9 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli @@ -189,13 +189,9 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli
//Attempt to login the user, the LoginContext will call our InternalCallbackHandler at this point.
loginContext.login();
//create a set to hold the authorities, and add any that have already been applied.
//create a set to hold the authorities
Set authorities = new HashSet();
if (request.getAuthorities() != null) {
authorities.addAll(Arrays.asList(request.getAuthorities()));
}
//get the subject principals and pass them to each of the AuthorityGranters
Set principals = loginContext.getSubject().getPrincipals();

12
core/src/test/java/org/springframework/security/providers/jaas/JaasAuthenticationProviderTests.java
Unescape View File

@ -138,13 +138,7 @@ public class JaasAuthenticationProviderTests extends TestCase { @@ -138,13 +138,7 @@ public class JaasAuthenticationProviderTests extends TestCase {
}
public void testFull() throws Exception {
GrantedAuthorityImpl role1 = new GrantedAuthorityImpl("ROLE_1");
GrantedAuthorityImpl role2 = new GrantedAuthorityImpl("ROLE_2");
GrantedAuthority[] defaultAuths = new GrantedAuthority[] {role1, role2,};
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password",
defaultAuths);
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password");
assertTrue(jaasProvider.supports(UsernamePasswordAuthenticationToken.class));
@ -161,10 +155,6 @@ public class JaasAuthenticationProviderTests extends TestCase { @@ -161,10 +155,6 @@ public class JaasAuthenticationProviderTests extends TestCase {
assertTrue("GrantedAuthorities should contain ROLE_TEST2", list.contains(new GrantedAuthorityImpl("ROLE_TEST2")));
assertTrue("GrantedAuthorities should contain ROLE_1", list.contains(role1));
assertTrue("GrantedAuthorities should contain ROLE_2", list.contains(role2));
boolean foundit = false;
for (int i = 0; i < list.size(); i++) {

Write Preview
Loading…
Cancel
Save