Luke Taylor (Migrated from SEC-1744) said:
When used with remoting, JaasAuthenticationProvider is vulnerable to abuse using the techniques in SEC-1741. In particular, it reads the authorities from the supplied request.
Even if the client is prevented from submitting an authentication object (fix for SEC-1741), I see no reason why this behaviour is necessary.
Luke Taylor said:
Existing authorities are no longer included ion the resulting token.