Trang chủ Khám phá Trợ giúp
Đăng ký Đăng nhập
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Các tập tin Các vấn đề 0 Wiki
Browse Source

SEC-610: Reauthenticate even if AnonymousAuthenticationToken is present.

Ben Alex 17 năm trước cách đây
mục cha
e2db910b06
commit
08db4a1358
1 tập tin đã thay đổi với 17 bổ sung5 xóa
Split View Hiển thị tình trạng sai khác
  1. 17 5
      core/src/main/java/org/springframework/security/ui/basicauth/BasicProcessingFilter.java

+ 17 - 5
core/src/main/java/org/springframework/security/ui/basicauth/BasicProcessingFilter.java
Xem Tập Tin 

@@ -22,21 +22,22 @@ import javax.servlet.ServletException;
 
 import javax.servlet.http.HttpServletRequest;
 
 import javax.servlet.http.HttpServletResponse;
 
 
+import org.apache.commons.codec.binary.Base64;
 
+import org.apache.commons.logging.Log;
 
+import org.apache.commons.logging.LogFactory;
 
+import org.springframework.beans.factory.InitializingBean;
 
 import org.springframework.security.Authentication;
 
 import org.springframework.security.AuthenticationException;
 
 import org.springframework.security.AuthenticationManager;
 
 import org.springframework.security.context.SecurityContextHolder;
 
 import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
 
+import org.springframework.security.providers.anonymous.AnonymousAuthenticationToken;
 
 import org.springframework.security.ui.AuthenticationDetailsSource;
 
 import org.springframework.security.ui.AuthenticationDetailsSourceImpl;
 
 import org.springframework.security.ui.AuthenticationEntryPoint;
 
-import org.springframework.security.ui.SpringSecurityFilter;
 
 import org.springframework.security.ui.FilterChainOrderUtils;
 
+import org.springframework.security.ui.SpringSecurityFilter;
 
 import org.springframework.security.ui.rememberme.RememberMeServices;
 
-import org.apache.commons.codec.binary.Base64;
 
-import org.apache.commons.logging.Log;
 
-import org.apache.commons.logging.LogFactory;
 
-import org.springframework.beans.factory.InitializingBean;
 
 import org.springframework.util.Assert;
 
 
 
@@ -174,6 +175,17 @@ public class BasicProcessingFilter extends SpringSecurityFilter implements Initi
 
             return true;
 
         }
 
 
+        // Handle unusual condition where an AnonymousAuthenticationToken is already present
 
+        // This shouldn't happen very often, as BasicProcessingFitler is meant to be earlier in the filter
 
+        // chain than AnonymousProcessingFilter. Nevertheless, presence of both an AnonymousAuthenticationToken
 
+        // together with a BASIC authentication request header should indicate reauthentication using the
 
+        // BASIC protocol is desirable. This behaviour is also consistent with that provided by form and digest,
 
+        // both of which force re-authentication if the respective header is detected (and in doing so replace
 
+        // any existing AnonymousAuthenticationToken). See SEC-610.
 
+        if (existingAuth instanceof AnonymousAuthenticationToken) {
 
+        	return true;
 
+        }
 
+
 
         return false;
 
     }