SEC-2738: authorities-by-username-query: The first field of the query is passed as paramater value

[spring-projects-issues]

Chris Korakidis (Migrated from SEC-2738) said:

with the following configuration:

users-by-username-query="select 22 as age, true as enabled, email as username, password from user where email=?"
authorities-by-username-query="select 22 as age, true as enabled, email as username, authority as role from user where email=?"/>

I'll get a 'Bad credentials' response and the db sql log will be

BST LOG:  execute <unnamed>: select 22 as age, true as enabled, email as username, password from consumer where email=$1
BST DETAIL:  parameters: $1 = 'user@mail.com'
BST LOG:  execute <unnamed>: select 22 as age, true as enabled, email as username, authority as role from consumer where email=$1
BST DETAIL:  parameters: $1 = '22'

While in the users-by-username-query case it passes the value of the email field in the parameter, in the case of the authorities-by-username-query it passes the value of the first field of the query in the parameter

[spring-projects-issues]

Rob Winch said:

Spring Security obtains the results for both the users-byusername-query and the authorities-by-username-query based upon the column index. This is also documented within the javadoc for both queries. In other words, this does not appear to be a bug.

If you still believe there is room for improvement, please suggest a change.

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[spring-projects-issues]

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.