SEC-1384: DefaultWebInvocationPrivilegeEvaluator bypass the accessDecisionManager when authorities are empty #1627

Closed
spring-issuemaster opened this Issue Jan 24, 2010 · 1 comment

1 participant

@spring-issuemaster

Ferdinand Marques Nunes (Migrated from SEC-1384) said:

defaultWebInvocationPrivilegeEvaluator.isAllowed(...) always return false when authorities are empty.

Here is the simple security configuration used:

<http access-decision-manager-ref="accessDecisionManager">
    <intercept-url pattern="/images/**" filters="none" />
    <intercept-url pattern="/scripts/**" filters="none" />
    <intercept-url pattern="/styles/**" filters="none" />
    <intercept-url pattern="/csmprobe.html*" filters="none" />
    <intercept-url pattern="/login.htm*" access="ROLE_ANONYMOUS" />
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    <form-login login-page="/login.htm"
        always-use-default-target="true"
        default-target-url="/siteSelection.htm"
        authentication-failure-url="/login.htm?login_error=1" />
    <logout />
</http>

<ldap-server
    url="${ldap.url}/${ldap.base}"
    manager-dn="${ldap.managerDn}"
    manager-password="${ldap.managerPassword}" />

<authentication-manager alias="authenticationManager">
    <ldap-authentication-provider user-search-filter="(uid={0})"
        user-search-base="${ldap.userSearchBase}"
        group-search-base="${ldap.groups}" />
</authentication-manager>

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <beans:property name="decisionVoters">
        <beans:list>
            <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
            <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
        </beans:list>
    </beans:property>
</beans:bean>

Users with no authorities have access to all pages (IS_AUTHENTICATED_FULLY) according to the filter configuration but defaultWebInvocationPrivilegeEvaluator.isAllowed(...) says the opposite. The implementation has this check:

    if (authentication == null || authentication.getAuthorities().isEmpty()) {
        return false;
    }

authentication.getAuthorities().isEmpty() should be removed to allow decision voters do their work.

@spring-issuemaster

Ferdinand Marques Nunes said:

My workaround consists to implement the UserDetailsContextMapper and add to the authorities collection a default role (any dummy value prefixed by 'ROLE_').

@spring-issuemaster spring-issuemaster added this to the 3.0.2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment