SEC-2020: Using http@authentication-manager-ref prevents authentication-manager@erase-credential from working #2245

Closed
spring-issuemaster opened this Issue Jul 30, 2012 · 1 comment

2 participants

@spring-issuemaster

pascal gehl (Migrated from SEC-2020) said:

In

<sec:http realm="sample-realm" authentication-manager-ref="sampleAuthenticationManager"
      pattern="/sample">
      <sec:intercept-url pattern="/sample/*" access="ROLE_ADMIN" />
      <sec:http-basic />
</sec:http>

<sec:authentication-manager id="sampleAuthenticationManager" erase-credentials="false">
    <sec:authentication-provider ref="sampleAuthenticationProvider" />
</sec:authentication-manager>

HttpSecurityBeanDefinitionParser wraps "sampleAuthenticationManager" inside a new instance but forgets to pass the value associated to "erase-credentials".

private BeanReference createAuthenticationManager(Element element, ParserContext pc,
            ManagedList<BeanReference> authenticationProviders) {
        String parentMgrRef = element.getAttribute(ATT_AUTHENTICATION_MANAGER_REF);
        BeanDefinitionBuilder authManager = BeanDefinitionBuilder.rootBeanDefinition(ProviderManager.class);
        authManager.addConstructorArgValue(authenticationProviders);

        if (StringUtils.hasText(parentMgrRef)) {
            authManager.addConstructorArgValue(new RuntimeBeanReference(parentMgrRef));
[...]

Credentials get always erased even with erase-credentials="false" in the parent.

@spring-issuemaster

Rob Winch said:

Thank you for your contribution by submitting this issue with such a good description of the problem. I have pushed a fix to master.

@spring-issuemaster spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment