Permalink
Browse files

SEC-1975: Ignore anonymous users for AuthenticationSimpleHttpInvokerR…

…equestExecutor

Previously anonymous authentication was submitted as credentials over the wire which
caused the applications to attempt to authenticate the anonymous user.

Now if the user is anonymous (determined by the AuthenticationTrustResolver), the
AuthenticationSimpleHttpInvokerRequestExecutor does not populate any credentials.
  • Loading branch information...
1 parent 1ab068a commit 25248c75369756b2c1d80b5b7e0b14b5a9a9c09d @rwinch rwinch committed Aug 9, 2012
@@ -21,6 +21,8 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.remoting.httpinvoker.SimpleHttpInvokerRequestExecutor;
+import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.core.Authentication;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.core.context.SecurityContextHolder;
@@ -30,12 +32,17 @@
* Adds BASIC authentication support to <code>SimpleHttpInvokerRequestExecutor</code>.
*
* @author Ben Alex
+ * @author Rob Winch
*/
public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpInvokerRequestExecutor {
//~ Static fields/initializers =====================================================================================
private static final Log logger = LogFactory.getLog(AuthenticationSimpleHttpInvokerRequestExecutor.class);
+ //~ Instance fields ================================================================================================
+
+ private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
+
//~ Methods ========================================================================================================
/**
@@ -65,7 +72,7 @@ protected void prepareConnection(HttpURLConnection con, int contentLength) throw
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
- if ((auth != null) && (auth.getName() != null) && (auth.getCredentials() != null)) {
+ if ((auth != null) && (auth.getName() != null) && (auth.getCredentials() != null) && !trustResolver.isAnonymous(auth)) {
String base64 = auth.getName() + ":" + auth.getCredentials().toString();
con.setRequestProperty("Authorization", "Basic " + new String(Base64.encode(base64.getBytes())));
@@ -18,8 +18,10 @@
import junit.framework.TestCase;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor;
@@ -37,6 +39,7 @@
* Tests {@link AuthenticationSimpleHttpInvokerRequestExecutor}.
*
* @author Ben Alex
+ * @author Rob Winch
*/
public class AuthenticationSimpleHttpInvokerRequestExecutorTests extends TestCase {
@@ -77,6 +80,22 @@ public void testNullContextHolderIsNull() throws Exception {
assertNull(conn.getRequestProperty("Authorization"));
}
+ // SEC-1975
+ public void testNullContextHolderWhenAnonymous() throws Exception {
+ AnonymousAuthenticationToken anonymous = new AnonymousAuthenticationToken("key", "principal",
+ AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
+ SecurityContextHolder.getContext().setAuthentication(anonymous);
+
+ // Create a connection and ensure our executor sets its
+ // properties correctly
+ AuthenticationSimpleHttpInvokerRequestExecutor executor = new AuthenticationSimpleHttpInvokerRequestExecutor();
+ HttpURLConnection conn = new MockHttpURLConnection(new URL("http://localhost/"));
+ executor.prepareConnection(conn, 10);
+
+ // Check connection properties (shouldn't be an Authorization header)
+ assertNull(conn.getRequestProperty("Authorization"));
+ }
+
//~ Inner Classes ==================================================================================================
private class MockHttpURLConnection extends HttpURLConnection {

0 comments on commit 25248c7

Please sign in to comment.