Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1741: ContextPropagatingRemoteInvocation should not be able to pass a SecurityContext object #1978

spring-issuemaster opened this Issue May 12, 2011 · 2 comments


None yet
1 participant

Luke Taylor (Migrated from SEC-1741) said:

Various potential attacks have been reported which rely on the deserialization of the SecurityContext/Authentication combination used by this class.

Realistically, a remote client should be limited to providing simple user/credentials information which is not automatically deserialized into instances of framework classes. The Authentication object should only be created in the server VM.

Luke Taylor said:

Remote invocation is now only possible using String values for principal and credentials.

Vamsee Koneru said:

This breaks authentication using security:authentication-manager. ProviderManager erases credentials after authentication, causing a NullPointerException in ContextPropagatingRemoteInvocation, line 69, when getting credentials as a String:

67: if (currentUser != null) {
68: principal = currentUser.getName();
69: credentials = currentUser.getCredentials().toString();
70: }

Is this a known issue?

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment