Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

SEC-1975: Ignore anonymous users for AuthenticationSimpleHttpInvokerR…

…equestExecutor

Previously anonymous authentication was submitted as credentials over the wire which
caused the applications to attempt to authenticate the anonymous user.

Now if the user is anonymous (determined by the AuthenticationTrustResolver), the
AuthenticationSimpleHttpInvokerRequestExecutor does not populate any credentials.
  • Loading branch information...
commit 25248c75369756b2c1d80b5b7e0b14b5a9a9c09d 1 parent 1ab068a
@rwinch rwinch authored
View
9 ...va/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java
@@ -21,6 +21,8 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.remoting.httpinvoker.SimpleHttpInvokerRequestExecutor;
+import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.core.Authentication;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.core.context.SecurityContextHolder;
@@ -30,12 +32,17 @@
* Adds BASIC authentication support to <code>SimpleHttpInvokerRequestExecutor</code>.
*
* @author Ben Alex
+ * @author Rob Winch
*/
public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpInvokerRequestExecutor {
//~ Static fields/initializers =====================================================================================
private static final Log logger = LogFactory.getLog(AuthenticationSimpleHttpInvokerRequestExecutor.class);
+ //~ Instance fields ================================================================================================
+
+ private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
+
//~ Methods ========================================================================================================
/**
@@ -65,7 +72,7 @@ protected void prepareConnection(HttpURLConnection con, int contentLength) throw
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
- if ((auth != null) && (auth.getName() != null) && (auth.getCredentials() != null)) {
+ if ((auth != null) && (auth.getName() != null) && (auth.getCredentials() != null) && !trustResolver.isAnonymous(auth)) {
String base64 = auth.getName() + ":" + auth.getCredentials().toString();
con.setRequestProperty("Authorization", "Basic " + new String(Base64.encode(base64.getBytes())));
View
19 ...g/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java
@@ -18,8 +18,10 @@
import junit.framework.TestCase;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor;
@@ -37,6 +39,7 @@
* Tests {@link AuthenticationSimpleHttpInvokerRequestExecutor}.
*
* @author Ben Alex
+ * @author Rob Winch
*/
public class AuthenticationSimpleHttpInvokerRequestExecutorTests extends TestCase {
@@ -77,6 +80,22 @@ public void testNullContextHolderIsNull() throws Exception {
assertNull(conn.getRequestProperty("Authorization"));
}
+ // SEC-1975
+ public void testNullContextHolderWhenAnonymous() throws Exception {
+ AnonymousAuthenticationToken anonymous = new AnonymousAuthenticationToken("key", "principal",
+ AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
+ SecurityContextHolder.getContext().setAuthentication(anonymous);
+
+ // Create a connection and ensure our executor sets its
+ // properties correctly
+ AuthenticationSimpleHttpInvokerRequestExecutor executor = new AuthenticationSimpleHttpInvokerRequestExecutor();
+ HttpURLConnection conn = new MockHttpURLConnection(new URL("http://localhost/"));
+ executor.prepareConnection(conn, 10);
+
+ // Check connection properties (shouldn't be an Authorization header)
+ assertNull(conn.getRequestProperty("Authorization"));
+ }
+
//~ Inner Classes ==================================================================================================
private class MockHttpURLConnection extends HttpURLConnection {
Please sign in to comment.
Something went wrong with that request. Please try again.