SEC-549: Trim whitespace from username submitted with login form.

19 years ago · 56deb3dd83
2 changed files with 18 additions and 3 deletions
--- a/core/src/main/java/org/acegisecurity/ui/webapp/AuthenticationProcessingFilter.java
+++ b/core/src/main/java/org/acegisecurity/ui/webapp/AuthenticationProcessingFilter.java
@ -68,6 +68,8 @@ public class AuthenticationProcessingFilter extends AbstractProcessingFilter {
				@@ -68,6 +68,8 @@ public class AuthenticationProcessingFilter extends AbstractProcessingFilter {
            password = "";
        }

+        username = username.trim();
+
        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

        // Place the last username attempted into HttpSession for views
@ -145,7 +147,7 @@ public class AuthenticationProcessingFilter extends AbstractProcessingFilter {
				@@ -145,7 +147,7 @@ public class AuthenticationProcessingFilter extends AbstractProcessingFilter {
     * @param passwordParameter the parameter name. Defaults to "j_password".
     */
    public void setPasswordParameter(String passwordParameter) {
-        Assert.hasText(passwordParameter, "Password parameter must not be empty or null");        
+        Assert.hasText(passwordParameter, "Password parameter must not be empty or null");
        this.passwordParameter = passwordParameter;
    }
 }
--- a/core/src/test/java/org/acegisecurity/ui/webapp/AuthenticationProcessingFilterTests.java
+++ b/core/src/test/java/org/acegisecurity/ui/webapp/AuthenticationProcessingFilterTests.java
@ -92,7 +92,7 @@ public class AuthenticationProcessingFilterTests extends TestCase {
				@@ -92,7 +92,7 @@ public class AuthenticationProcessingFilterTests extends TestCase {
        AuthenticationProcessingFilter filter = new AuthenticationProcessingFilter();
        filter.setAuthenticationManager(new MockAuthenticationManager(true));
        filter.setUsernameParameter("x");
-        filter.setPasswordParameter("y");        
+        filter.setPasswordParameter("y");
        filter.init(null);

        MockHttpServletRequest request = new MockHttpServletRequest();
@ -101,6 +101,19 @@ public class AuthenticationProcessingFilterTests extends TestCase {
				@@ -101,6 +101,19 @@ public class AuthenticationProcessingFilterTests extends TestCase {

        Authentication result = filter.attemptAuthentication(request);
        assertTrue(result != null);
-        assertEquals("127.0.0.1", ((WebAuthenticationDetails) result.getDetails()).getRemoteAddress());        
+        assertEquals("127.0.0.1", ((WebAuthenticationDetails) result.getDetails()).getRemoteAddress());
+    }
+
+    public void testSpacesAreTrimmedCorrectlyFromUsername() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.addParameter(AuthenticationProcessingFilter.ACEGI_SECURITY_FORM_USERNAME_KEY, " marissa ");
+        request.addParameter(AuthenticationProcessingFilter.ACEGI_SECURITY_FORM_PASSWORD_KEY, "koala");
+
+        AuthenticationProcessingFilter filter = new AuthenticationProcessingFilter();
+        filter.setAuthenticationManager(new MockAuthenticationManager(true));
+        filter.init(null);
+
+        Authentication result = filter.attemptAuthentication(request);
+        assertEquals("marissa", result.getName());
    }
 }