Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

SEC-1975: Ignore anonymous users for AuthenticationSimpleHttpInvokerRequestExecutor

Previously anonymous authentication was submitted as credentials over the wire which
caused the applications to attempt to authenticate the anonymous user.

Now if the user is anonymous (determined by the AuthenticationTrustResolver), the
AuthenticationSimpleHttpInvokerRequestExecutor does not populate any credentials.
Rob Winch 13 years ago
parent
1ab068a06d
commit
25248c7536
2 changed files with 27 additions and 1 deletions
Split View Show Diff Stats
  1. 8 1
      remoting/src/main/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java
  2. 19 0
      remoting/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java

+ 8 - 1
remoting/src/main/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java
View File 

@@ -21,6 +21,8 @@ import java.net.HttpURLConnection;
 
 import org.apache.commons.logging.Log;
 
 import org.apache.commons.logging.LogFactory;
 
 import org.springframework.remoting.httpinvoker.SimpleHttpInvokerRequestExecutor;
 
+import org.springframework.security.authentication.AuthenticationTrustResolver;
 
+import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 
 import org.springframework.security.core.Authentication;
 
 import org.springframework.security.crypto.codec.Base64;
 
 import org.springframework.security.core.context.SecurityContextHolder;
 
@@ -30,12 +32,17 @@ import org.springframework.security.core.context.SecurityContextHolder;
 
  * Adds BASIC authentication support to <code>SimpleHttpInvokerRequestExecutor</code>.
 
  *
 
  * @author Ben Alex
 
+ * @author Rob Winch
 
  */
 
 public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpInvokerRequestExecutor {
 
     //~ Static fields/initializers =====================================================================================
 
 
     private static final Log logger = LogFactory.getLog(AuthenticationSimpleHttpInvokerRequestExecutor.class);
 
 
+    //~ Instance fields ================================================================================================
 
+
 
+    private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
 
+
 
     //~ Methods ========================================================================================================
 
 
     /**
 
@@ -65,7 +72,7 @@ public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpIn
 
 
         Authentication auth = SecurityContextHolder.getContext().getAuthentication();
 
 
-        if ((auth != null) && (auth.getName() != null) && (auth.getCredentials() != null)) {
 
+        if ((auth != null) && (auth.getName() != null) && (auth.getCredentials() != null) && !trustResolver.isAnonymous(auth)) {
 
             String base64 = auth.getName() + ":" + auth.getCredentials().toString();
 
             con.setRequestProperty("Authorization", "Basic " + new String(Base64.encode(base64.getBytes())));

+ 19 - 0
remoting/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java
View File 

@@ -18,8 +18,10 @@ package org.springframework.security.remoting.httpinvoker;
 
 import junit.framework.TestCase;
 
 
 
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
 
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 
 import org.springframework.security.core.Authentication;
 
+import org.springframework.security.core.authority.AuthorityUtils;
 
 import org.springframework.security.core.context.SecurityContextHolder;
 
 
 import org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor;
 
@@ -37,6 +39,7 @@ import java.util.Map;
 
  * Tests {@link AuthenticationSimpleHttpInvokerRequestExecutor}.
 
  *
 
  * @author Ben Alex
 
+ * @author Rob Winch
 
  */
 
 public class AuthenticationSimpleHttpInvokerRequestExecutorTests extends TestCase {
 
 
@@ -77,6 +80,22 @@ public class AuthenticationSimpleHttpInvokerRequestExecutorTests extends TestCas
 
         assertNull(conn.getRequestProperty("Authorization"));
 
     }
 
 
+    // SEC-1975
 
+    public void testNullContextHolderWhenAnonymous() throws Exception {
 
+        AnonymousAuthenticationToken anonymous = new AnonymousAuthenticationToken("key", "principal",
 
+                AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
 
+        SecurityContextHolder.getContext().setAuthentication(anonymous);
 
+
 
+        // Create a connection and ensure our executor sets its
 
+        // properties correctly
 
+        AuthenticationSimpleHttpInvokerRequestExecutor executor = new AuthenticationSimpleHttpInvokerRequestExecutor();
 
+        HttpURLConnection conn = new MockHttpURLConnection(new URL("http://localhost/"));
 
+        executor.prepareConnection(conn, 10);
 
+
 
+        // Check connection properties (shouldn't be an Authorization header)
 
+        assertNull(conn.getRequestProperty("Authorization"));
 
+    }
 
+
 
     //~ Inner Classes ==================================================================================================
 
 
     private class MockHttpURLConnection extends HttpURLConnection {