SEC-1867: Perform null check on Authentication.getCredentials() prior to calling toString()

14 years ago · 1f835fec43
4 changed files with 29 additions and 2 deletions
--- a/core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProvider.java
+++ b/core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProvider.java
@ -57,7 +57,8 @@ public class RemoteAuthenticationProvider implements AuthenticationProvider, Ini
				@@ -57,7 +57,8 @@ public class RemoteAuthenticationProvider implements AuthenticationProvider, Ini
    public Authentication authenticate(Authentication authentication)
        throws AuthenticationException {
        String username = authentication.getPrincipal().toString();
-        String password = authentication.getCredentials().toString();
+        Object credentials = authentication.getCredentials();
+        String password = credentials == null ? null : credentials.toString();
        Collection<? extends GrantedAuthority> authorities = remoteAuthenticationManager.attemptAuthentication(username, password);

        return new UsernamePasswordAuthenticationToken(username, password, authorities);
--- a/core/src/test/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProviderTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProviderTests.java
@ -21,6 +21,7 @@ import junit.framework.TestCase;
				@@ -21,6 +21,7 @@ import junit.framework.TestCase;

 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;

@ -77,6 +78,17 @@ public class RemoteAuthenticationProviderTests extends TestCase {
				@@ -77,6 +78,17 @@ public class RemoteAuthenticationProviderTests extends TestCase {
        assertTrue(AuthorityUtils.authorityListToSet(result.getAuthorities()).contains("foo"));
    }

+    public void testNullCredentialsDoesNotCauseNullPointerException() {
+        RemoteAuthenticationProvider provider = new RemoteAuthenticationProvider();
+        provider.setRemoteAuthenticationManager(new MockRemoteAuthenticationManager(false));
+
+        try {
+            provider.authenticate(new UsernamePasswordAuthenticationToken("rod", null));
+            fail("Expected Exception");
+        } catch(RemoteAuthenticationException success) {}
+
+    }
+
    public void testSupports() {
        RemoteAuthenticationProvider provider = new RemoteAuthenticationProvider();
        assertTrue(provider.supports(UsernamePasswordAuthenticationToken.class));
--- a/remoting/src/main/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocation.java
+++ b/remoting/src/main/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocation.java
@ -66,13 +66,17 @@ public class ContextPropagatingRemoteInvocation extends RemoteInvocation {
				@@ -66,13 +66,17 @@ public class ContextPropagatingRemoteInvocation extends RemoteInvocation {

        if (currentUser != null) {
            principal = currentUser.getName();
-            credentials = currentUser.getCredentials().toString();
+            Object userCredentials = currentUser.getCredentials();
+            credentials = userCredentials == null ? null : userCredentials.toString();
        } else {
            principal = credentials = null;
        }

        if (logger.isDebugEnabled()) {
            logger.debug("RemoteInvocation now has principal: " + principal);
+            if(credentials == null) {
+                logger.debug("RemoteInvocation now has null credentials.");
+            }
        }
    }

--- a/remoting/src/test/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocationTests.java
+++ b/remoting/src/test/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocationTests.java
@ -22,6 +22,7 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
				@@ -22,6 +22,7 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.util.SimpleMethodInvocation;
+import org.springframework.test.util.ReflectionTestUtils;

 import java.lang.reflect.Method;

@ -95,4 +96,13 @@ public class ContextPropagatingRemoteInvocationTests extends TestCase {
				@@ -95,4 +96,13 @@ public class ContextPropagatingRemoteInvocationTests extends TestCase {

        assertEquals("some_string Authentication empty", remoteInvocation.invoke(new TargetObject()));
    }
+
+    // SEC-1867
+    public void testNullCredentials() throws Exception {
+        Authentication clientSideAuthentication = new UsernamePasswordAuthenticationToken("rod", null);
+        SecurityContextHolder.getContext().setAuthentication(clientSideAuthentication);
+
+        ContextPropagatingRemoteInvocation remoteInvocation = getRemoteInvocation();
+        assertEquals(null, ReflectionTestUtils.getField(remoteInvocation, "credentials"));
+    }
 }