From 39e2bb67fcc1cd58409178204f250456777b15b4 Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Thu, 18 Sep 2025 15:37:37 -0600 Subject: [PATCH] Create Authentication Only Once Issue gh-17933 --- ...AbstractUserDetailsAuthenticationProvider.java | 15 +++++++++------ .../AbstractLdapAuthenticationProvider.java | 11 ++++++----- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java index fdb8f37630..90afccc183 100644 --- a/core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java +++ b/core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java @@ -16,6 +16,9 @@ package org.springframework.security.authentication.dao; +import java.util.ArrayList; +import java.util.Collection; + import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -33,6 +36,7 @@ import org.springframework.security.authentication.LockedException; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; +import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.SpringSecurityMessageSource; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper; @@ -200,12 +204,11 @@ public abstract class AbstractUserDetailsAuthenticationProvider // so subsequent attempts are successful even with encoded passwords. // Also ensure we return the original getDetails(), so that future // authentication events after cache expiry contain the details - UsernamePasswordAuthenticationToken result = UsernamePasswordAuthenticationToken - .authenticated(principal, authentication.getCredentials(), - this.authoritiesMapper.mapAuthorities(user.getAuthorities())) - .toBuilder() - .authorities((a) -> a.add(new SimpleGrantedAuthority(AUTHORITY))) - .build(); + Collection authorities = new ArrayList<>( + this.authoritiesMapper.mapAuthorities(user.getAuthorities())); + authorities.add(new SimpleGrantedAuthority(AUTHORITY)); + UsernamePasswordAuthenticationToken result = UsernamePasswordAuthenticationToken.authenticated(principal, + authentication.getCredentials(), authorities); result.setDetails(authentication.getDetails()); this.logger.debug("Authenticated user"); return result; diff --git a/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java b/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java index 08be437ccf..fad307be6c 100644 --- a/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java +++ b/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java @@ -16,6 +16,7 @@ package org.springframework.security.ldap.authentication; +import java.util.ArrayList; import java.util.Collection; import org.apache.commons.logging.Log; @@ -103,11 +104,11 @@ public abstract class AbstractLdapAuthenticationProvider implements Authenticati UserDetails user) { Object password = this.useAuthenticationRequestCredentials ? authentication.getCredentials() : user.getPassword(); - UsernamePasswordAuthenticationToken result = UsernamePasswordAuthenticationToken - .authenticated(user, password, this.authoritiesMapper.mapAuthorities(user.getAuthorities())) - .toBuilder() - .authorities((a) -> a.add(new SimpleGrantedAuthority(AUTHORITY))) - .build(); + Collection authorities = new ArrayList<>( + this.authoritiesMapper.mapAuthorities(user.getAuthorities())); + authorities.add(new SimpleGrantedAuthority(AUTHORITY)); + UsernamePasswordAuthenticationToken result = UsernamePasswordAuthenticationToken.authenticated(user, password, + authorities); result.setDetails(authentication.getDetails()); this.logger.debug("Authenticated user"); return result;