Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1744: JaasAuthenticationProvider should not include the authorities in the provided authentication request object #1980

spring-issuemaster opened this Issue May 12, 2011 · 1 comment


None yet
1 participant

Luke Taylor (Migrated from SEC-1744) said:

When used with remoting, JaasAuthenticationProvider is vulnerable to abuse using the techniques in SEC-1741. In particular, it reads the authorities from the supplied request.

Even if the client is prevented from submitting an authentication object (fix for SEC-1741), I see no reason why this behaviour is necessary.

Luke Taylor said:

Existing authorities are no longer included ion the resulting token.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment