SEC-1867: Perform null check on Authentication.getCredentials() prior to calling toString()

core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProvider.java

@@ -57,7 +57,8 @@ public class RemoteAuthenticationProvider implements AuthenticationProvider, Ini
     public Authentication authenticate(Authentication authentication)
         throws AuthenticationException {
         String username = authentication.getPrincipal().toString();
-        String password = authentication.getCredentials().toString();
+        Object credentials = authentication.getCredentials();
+        String password = credentials == null ? null : credentials.toString();
         Collection<? extends GrantedAuthority> authorities = remoteAuthenticationManager.attemptAuthentication(username, password);
 
         return new UsernamePasswordAuthenticationToken(username, password, authorities);

core/src/test/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProviderTests.java

@@ -21,6 +21,7 @@ import junit.framework.TestCase;
 
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 
@@ -77,6 +78,17 @@ public class RemoteAuthenticationProviderTests extends TestCase {
         assertTrue(AuthorityUtils.authorityListToSet(result.getAuthorities()).contains("foo"));
     }
 
+    public void testNullCredentialsDoesNotCauseNullPointerException() {
+        RemoteAuthenticationProvider provider = new RemoteAuthenticationProvider();
+        provider.setRemoteAuthenticationManager(new MockRemoteAuthenticationManager(false));
+
+        try {
+            provider.authenticate(new UsernamePasswordAuthenticationToken("rod", null));
+            fail("Expected Exception");
+        } catch(RemoteAuthenticationException success) {}
+
+    }
+
     public void testSupports() {
         RemoteAuthenticationProvider provider = new RemoteAuthenticationProvider();
         assertTrue(provider.supports(UsernamePasswordAuthenticationToken.class));

remoting/src/main/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocation.java

@@ -66,13 +66,17 @@ public class ContextPropagatingRemoteInvocation extends RemoteInvocation {
 
         if (currentUser != null) {
             principal = currentUser.getName();
-            credentials = currentUser.getCredentials().toString();
+            Object userCredentials = currentUser.getCredentials();
+            credentials = userCredentials == null ? null : userCredentials.toString();
         } else {
             principal = credentials = null;
         }
 
         if (logger.isDebugEnabled()) {
             logger.debug("RemoteInvocation now has principal: " + principal);
+            if(credentials == null) {
+                logger.debug("RemoteInvocation now has null credentials.");
+            }
         }
     }
 

remoting/src/test/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocationTests.java

@@ -22,6 +22,7 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.util.SimpleMethodInvocation;
+import org.springframework.test.util.ReflectionTestUtils;
 
 import java.lang.reflect.Method;
 
@@ -95,4 +96,13 @@ public class ContextPropagatingRemoteInvocationTests extends TestCase {
 
         assertEquals("some_string Authentication empty", remoteInvocation.invoke(new TargetObject()));
     }
+
+    // SEC-1867
+    public void testNullCredentials() throws Exception {
+        Authentication clientSideAuthentication = new UsernamePasswordAuthenticationToken("rod", null);
+        SecurityContextHolder.getContext().setAuthentication(clientSideAuthentication);
+
+        ContextPropagatingRemoteInvocation remoteInvocation = getRemoteInvocation();
+        assertEquals(null, ReflectionTestUtils.getField(remoteInvocation, "credentials"));
+    }
 }