首页 发现 帮助
注册 登录
github
/
spring-security
镜像自地址 https://github.com/spring-projects/spring-security
2
0
派生 0
文件 工单管理 0 Wiki
浏览代码

SEC-1975: Ignore anonymous users for AuthenticationSimpleHttpInvokerRequestExecutor

Previously anonymous authentication was submitted as credentials over the wire which
caused the applications to attempt to authenticate the anonymous user.

Now if the user is anonymous (determined by the AuthenticationTrustResolver), the
AuthenticationSimpleHttpInvokerRequestExecutor does not populate any credentials.
Rob Winch 13 年之前
父节点
1ab068a06d
当前提交
25248c7536
共有 2 个文件被更改,包括 27 次插入1 次删除
合并视图 显示文件统计
  1. 8 1
      remoting/src/main/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java
  2. 19 0
      remoting/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java

+ 8 - 1
remoting/src/main/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java
查看文件 

@@ -21,6 +21,8 @@ import java.net.HttpURLConnection;
 
 import org.apache.commons.logging.Log;
 
 import org.apache.commons.logging.Log;
 
 import org.apache.commons.logging.LogFactory;
 
 import org.apache.commons.logging.LogFactory;
 
 import org.springframework.remoting.httpinvoker.SimpleHttpInvokerRequestExecutor;
 
 import org.springframework.remoting.httpinvoker.SimpleHttpInvokerRequestExecutor;
 
+import org.springframework.security.authentication.AuthenticationTrustResolver;
 
+import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 
 import org.springframework.security.core.Authentication;
 
 import org.springframework.security.core.Authentication;
 
 import org.springframework.security.crypto.codec.Base64;
 
 import org.springframework.security.crypto.codec.Base64;
 
 import org.springframework.security.core.context.SecurityContextHolder;
 
 import org.springframework.security.core.context.SecurityContextHolder;
 
@@ -30,12 +32,17 @@ import org.springframework.security.core.context.SecurityContextHolder;
 
  * Adds BASIC authentication support to <code>SimpleHttpInvokerRequestExecutor</code>.
 
  * Adds BASIC authentication support to <code>SimpleHttpInvokerRequestExecutor</code>.
 
  *
 
  *
 
  * @author Ben Alex
 
  * @author Ben Alex
 
+ * @author Rob Winch
 
  */
 
  */
 
 public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpInvokerRequestExecutor {
 
 public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpInvokerRequestExecutor {
 
     //~ Static fields/initializers =====================================================================================
 
     //~ Static fields/initializers =====================================================================================
 
 
 
     private static final Log logger = LogFactory.getLog(AuthenticationSimpleHttpInvokerRequestExecutor.class);
 
     private static final Log logger = LogFactory.getLog(AuthenticationSimpleHttpInvokerRequestExecutor.class);
 
 
 
+    //~ Instance fields ================================================================================================
 
+
 
+    private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
 
+
 
     //~ Methods ========================================================================================================
 
     //~ Methods ========================================================================================================
 
 
 
     /**
 
     /**
 
@@ -65,7 +72,7 @@ public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpIn
 
 
 
         Authentication auth = SecurityContextHolder.getContext().getAuthentication();
 
         Authentication auth = SecurityContextHolder.getContext().getAuthentication();
 
 
 
-        if ((auth != null) && (auth.getName() != null) && (auth.getCredentials() != null)) {
 
+        if ((auth != null) && (auth.getName() != null) && (auth.getCredentials() != null) && !trustResolver.isAnonymous(auth)) {
 
             String base64 = auth.getName() + ":" + auth.getCredentials().toString();
 
             String base64 = auth.getName() + ":" + auth.getCredentials().toString();
 
             con.setRequestProperty("Authorization", "Basic " + new String(Base64.encode(base64.getBytes())));
 
             con.setRequestProperty("Authorization", "Basic " + new String(Base64.encode(base64.getBytes())));

+ 19 - 0
remoting/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java
查看文件 

@@ -18,8 +18,10 @@ package org.springframework.security.remoting.httpinvoker;
 
 import junit.framework.TestCase;
 
 import junit.framework.TestCase;
 
 
 
 
 
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
 
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 
 import org.springframework.security.core.Authentication;
 
 import org.springframework.security.core.Authentication;
 
+import org.springframework.security.core.authority.AuthorityUtils;
 
 import org.springframework.security.core.context.SecurityContextHolder;
 
 import org.springframework.security.core.context.SecurityContextHolder;
 
 
 
 import org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor;
 
 import org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor;
 
@@ -37,6 +39,7 @@ import java.util.Map;
 
  * Tests {@link AuthenticationSimpleHttpInvokerRequestExecutor}.
 
  * Tests {@link AuthenticationSimpleHttpInvokerRequestExecutor}.
 
  *
 
  *
 
  * @author Ben Alex
 
  * @author Ben Alex
 
+ * @author Rob Winch
 
  */
 
  */
 
 public class AuthenticationSimpleHttpInvokerRequestExecutorTests extends TestCase {
 
 public class AuthenticationSimpleHttpInvokerRequestExecutorTests extends TestCase {
 
 
 
@@ -77,6 +80,22 @@ public class AuthenticationSimpleHttpInvokerRequestExecutorTests extends TestCas
 
         assertNull(conn.getRequestProperty("Authorization"));
 
         assertNull(conn.getRequestProperty("Authorization"));
 
     }
 
     }
 
 
 
+    // SEC-1975
 
+    public void testNullContextHolderWhenAnonymous() throws Exception {
 
+        AnonymousAuthenticationToken anonymous = new AnonymousAuthenticationToken("key", "principal",
 
+                AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
 
+        SecurityContextHolder.getContext().setAuthentication(anonymous);
 
+
 
+        // Create a connection and ensure our executor sets its
 
+        // properties correctly
 
+        AuthenticationSimpleHttpInvokerRequestExecutor executor = new AuthenticationSimpleHttpInvokerRequestExecutor();
 
+        HttpURLConnection conn = new MockHttpURLConnection(new URL("http://localhost/"));
 
+        executor.prepareConnection(conn, 10);
 
+
 
+        // Check connection properties (shouldn't be an Authorization header)
 
+        assertNull(conn.getRequestProperty("Authorization"));
 
+    }
 
+
 
     //~ Inner Classes ==================================================================================================
 
     //~ Inner Classes ==================================================================================================
 
 
 
     private class MockHttpURLConnection extends HttpURLConnection {
 
     private class MockHttpURLConnection extends HttpURLConnection {