UP-1741 - Added a check to RemoteUserSecurityContext to verify the se…

…tting of the REMOTE_USER user id was successful for the

principal. If it was not the RemoteUserSecurityContext will not mark the principal as authenticated.

git-svn-id: https://source.jasig.org/uPortal/branches/rel-2-5-3-patches@14119 f5dbab47-78f9-eb45-b975-e544023573eb

source/org/jasig/portal/security/provider/RemoteUserSecurityContext.java

@@ -58,17 +58,31 @@ public int getAuthType() {
 	 *
 	 *@exception  PortalSecurityException
 	 */
-	public synchronized void authenticate()
-		throws PortalSecurityException {
-		isauth = remoteUser != null;
-		if (isauth) {
-			myPrincipal.setUID(remoteUser);
-			super.authenticate();
-		} else {
-			log.info( "Authentication failed. REMOTE_USER not set");
-		}
-		return;
-	}
+   public synchronized void authenticate() throws PortalSecurityException {
+        if (this.remoteUser != null) {
+            // Set the UID for the principal
+            this.myPrincipal.setUID(this.remoteUser);
+
+            // Check that the principal UID matches the remote user
+            final String newUid = this.myPrincipal.getUID();
+            if (this.remoteUser.equals(newUid)) {
+                if (log.isInfoEnabled()) {
+                    log.info("Authentication REMOTE_USER(" + this.remoteUser + ").");
+                }
+
+                this.isauth = true;
+            }
+            else if (log.isInfoEnabled()) {
+                log.info("Authentication failed. REMOTE_USER(" + this.remoteUser + ") != user(" + newUid + ").");
+            }
+        }
+        else if (log.isInfoEnabled()) {
+            log.info("Authentication failed. REMOTE_USER not set for(" + this.myPrincipal.getUID() + ").");
+        }
+
+        super.authenticate();
+        return;
+    }
 
 	/**
 	 * Set the remote user for this security context.