Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1741: ContextPropagatingRemoteInvocation should not be able to pass a SecurityContext object #1978

spring-projects-issues opened this issue May 12, 2011 · 2 comments


Copy link

@spring-projects-issues spring-projects-issues commented May 12, 2011

Luke Taylor (Migrated from SEC-1741) said:

Various potential attacks have been reported which rely on the deserialization of the SecurityContext/Authentication combination used by this class.

Realistically, a remote client should be limited to providing simple user/credentials information which is not automatically deserialized into instances of framework classes. The Authentication object should only be created in the server VM.

Copy link

@spring-projects-issues spring-projects-issues commented Aug 19, 2011

Luke Taylor said:

Remote invocation is now only possible using String values for principal and credentials.

Copy link

@spring-projects-issues spring-projects-issues commented Feb 14, 2012

Vamsee Koneru said:

This breaks authentication using security:authentication-manager. ProviderManager erases credentials after authentication, causing a NullPointerException in ContextPropagatingRemoteInvocation, line 69, when getting credentials as a String:

67: if (currentUser != null) {
68: principal = currentUser.getName();
69: credentials = currentUser.getCredentials().toString();
70: }

Is this a known issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant