Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WSS4J SpringDigestPasswordValidationCallbackHandler uses WSUsernameTokenPrincipal instead of UserDetails for creating authentication token? [SWS-693] #787

Closed
gregturn opened this issue Feb 14, 2011 · 3 comments
Assignees

Comments

@gregturn
Copy link
Member

@gregturn gregturn commented Feb 14, 2011

Gianni Ferrero opened SWS-693 and commented

I'm using SpringDigestPasswordValidationCallbackHandler for WSS4J Authentication.
The Handler correctly stores a UsernamePasswordAuthenticationToken in the SecurityContext when the user is correctly authenticated, the problem is that this Token does not contain a reference to my custom UserDetails (as the Principal) but it references the original WSUsernameTokenPrincipal read from the Callback.

This is the code that handles SecurityContextHolder:

protected void handleUsernameTokenPrincipal(UsernameTokenPrincipalCallback callback)
        throws IOException, UnsupportedCallbackException {
    UserDetails user = loadUserDetails(callback.getPrincipal().getName());
    WSUsernameTokenPrincipal principal = callback.getPrincipal();
    UsernamePasswordAuthenticationToken authRequest =
            new UsernamePasswordAuthenticationToken(principal, principal.getPassword(), user.getAuthorities());
    if (logger.isDebugEnabled()) {
        logger.debug("Authentication success: " + authRequest.toString());
    }
    SecurityContextHolder.getContext().setAuthentication(authRequest);
}

I think that the Token should reference the UserDetails object as follows:

UsernamePasswordAuthenticationToken authRequest =
        new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());

so that the SecurityContext contains my custom implementation of the UserDetails object...

Is this the intended behaviour?


Affects: 1.5.9

@gregturn
Copy link
Member Author

@gregturn gregturn commented Mar 28, 2011

Arjen Poutsma commented

Added formatting

@gregturn
Copy link
Member Author

@gregturn gregturn commented Mar 28, 2011

Tareq Abedrabbo commented

Hi,

Thanks for spotting this. I think you're right, SpringDigestPasswordValidationCallbackHandler should pass the UserDetails instance that it loads instead of creating a WSUsernameTokenPrincipal. However, I prefer not to include the fix in a minor version since, as you understand, it has the potential of causing ClassCastException to users who are currently relying on the fact that the principal is a WSUsernameTokenPrincipal. For this reason, I'm rescheduling this to 2.1.
Once the fix is applied I would very much appreciate getting your feedback before doing a release.
Thanks,
Tareq

@gregturn
Copy link
Member Author

@gregturn gregturn commented Mar 20, 2014

Arjen Poutsma commented

The SpringDigestPasswordValidationCallbackHandler has been removed in favor of the SpringSecurityPasswordValidationCallbackHandler in version 2.1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.