Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix DelegatingNegotiateSecurityFilter use of custom auth #956

Merged
merged 2 commits into from
Jun 11, 2020
Merged

Fix DelegatingNegotiateSecurityFilter use of custom auth #956

merged 2 commits into from
Jun 11, 2020

Conversation

cmolodo
Copy link
Contributor

@cmolodo cmolodo commented Jun 11, 2020

For the SpringSecurity 4 and 5 modules DelegatingNegotiateSecurityFilter, if both a custom AuthenticationManager and a custom AuthenticationSuccessHandler are specified, the custom Authentication is added to the SecurityContext, but is not passed to the custom success handler.
This means the SecurityContext has a different Authentication token than the success handler.

This is fixed for both spring security modules.

Resolves #453

@cmolodo
Fix DelegatingNegotiateSecurityFilter use of custom auth
e5f6fe3 
For the SpringSecurity 4 and 5 modules DelegatingNegotiateSecurityFilter, if both a custom AuthenticationManager and a custom AuthenticationSuccessHandler are specified, the custom Authentication is added to the SecurityContext, but is not passed to the custom success handler.  This means the context has a different Authentication than the success handler.

This is fixed for both spring security modules.

Issues:
Waffle#453
@dblock
Copy link
Collaborator

dblock commented Jun 11, 2020

🚀 This could use a test.

@cmolodo
Copy link
Contributor Author

cmolodo commented Jun 11, 2020

@dblock Sounds good, I'll add tests that check that the same custom Authentication token is now added to both the SecurityContext and the custom success handler.

@cmolodo
Add tests to check custom auth token handling in delegating filters
57f2af4 
Added unit tests to both Spring Security modules to check that the same authentication token provided by the custom AuthenticationManager is provided to both the SecurityContext and to the custom AuthenticationSuccessHandler.
@hazendaz
Copy link
Member

@cmolodo LGTM Thanks!

@hazendaz hazendaz merged commit e5df07f into Waffle:master Jun 11, 2020
@hazendaz hazendaz mentioned this pull request Jun 11, 2020
Closed
hazendaz added a commit that referenced this pull request Jun 11, 2020
@hazendaz
[ci] Add changelog for fix to #453 on PR #956
a014226
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@cmolodo @dblock @hazendaz