SEC-1741: ContextPropagatingRemoteInvocation should not be able to pass a SecurityContext object #1978

Closed
spring-issuemaster opened this Issue May 12, 2011 · 2 comments

1 participant

@spring-issuemaster

Luke Taylor (Migrated from SEC-1741) said:

Various potential attacks have been reported which rely on the deserialization of the SecurityContext/Authentication combination used by this class.

Realistically, a remote client should be limited to providing simple user/credentials information which is not automatically deserialized into instances of framework classes. The Authentication object should only be created in the server VM.

@spring-issuemaster

Luke Taylor said:

Remote invocation is now only possible using String values for principal and credentials.

@spring-issuemaster

Vamsee Koneru said:

This breaks authentication using security:authentication-manager. ProviderManager erases credentials after authentication, causing a NullPointerException in ContextPropagatingRemoteInvocation, line 69, when getting credentials as a String:

{{
67: if (currentUser != null) {
68: principal = currentUser.getName();
69: credentials = currentUser.getCredentials().toString();
70: }
}}

Is this a known issue?

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment