SEC-2533: Global AuthenticationManagerBuilder disables clearing child credentials

12 years ago · c411014c24
2 changed files with 25 additions and 0 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java
@ -78,6 +78,9 @@ public class AuthenticationManagerBuilder extends AbstractConfiguredSecurityBuil
				@@ -78,6 +78,9 @@ public class AuthenticationManagerBuilder extends AbstractConfiguredSecurityBuil
     */
    public AuthenticationManagerBuilder parentAuthenticationManager(
            AuthenticationManager authenticationManager) {
+        if(authenticationManager instanceof ProviderManager) {
+            eraseCredentials(((ProviderManager) authenticationManager).isEraseCredentialsAfterAuthentication());
+        }
        this.parentAuthenticationManager = authenticationManager;
        return this;
    }
--- a/config/src/test/groovy/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.groovy
@ -15,6 +15,7 @@
				@@ -15,6 +15,7 @@
 */
 package org.springframework.security.config.annotation.authentication

+import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.authentication.AuthenticationManager
@ -89,4 +90,25 @@ class NamespaceAuthenticationManagerTests extends BaseSpringSpec {
				@@ -89,4 +90,25 @@ class NamespaceAuthenticationManagerTests extends BaseSpringSpec {
            return super.authenticationManagerBean();
        }
    }
+
+    def "SEC-2533: global authentication-manager@erase-credentials=false"() {
+        when:
+            loadConfig(GlobalEraseCredentialsFalseConfig)
+            Authentication auth = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("user","password"))
+        then:
+            auth.credentials == "password"
+            auth.principal.password == "password"
+    }
+
+    @EnableWebSecurity
+    @Configuration
+    static class GlobalEraseCredentialsFalseConfig extends WebSecurityConfigurerAdapter {
+        @Autowired
+        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+            auth
+                .eraseCredentials(false)
+                .inMemoryAuthentication()
+                    .withUser("user").password("password").roles("USER")
+        }
+    }
 }