SEC-1744: JaasAuthenticationProvider should not include the authorities in the provided authentication request object #1980

spring-issuemaster opened this Issue May 12, 2011 · 1 comment


None yet

1 participant


Luke Taylor (Migrated from SEC-1744) said:

When used with remoting, JaasAuthenticationProvider is vulnerable to abuse using the techniques in SEC-1741. In particular, it reads the authorities from the supplied request.

Even if the client is prevented from submitting an authentication object (fix for SEC-1741), I see no reason why this behaviour is necessary.


Luke Taylor said:

Existing authorities are no longer included ion the resulting token.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment