开发者

Spring Security PreAuthentication checkForPrincipalChanges bug?

开发者 https://www.devze.com 2023-02-10 22:29 出处:网络
Is this a bug in Spring Security? org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter

Is this a bug in Spring Security?

org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter line:134

...
Object principal = getPreAuthenticatedPrincipal(request);
    if (checkForPrincipalChanges &&
        !currentUser.getName().equals(principal)) {
        logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");
...

Shouldn't it consider a null preAuthenticatedPrincipal to be a non change?

I shouldn't have to send the preAuthenticatedPrincipal with every request should I?

Shouldn't there be a check to see if this value is null?

Shouldn't this be

Object principal = getPreAuthenticatedPrincipal(request);
    if (checkForPrincipalChanges && 
        principal!=null &&
        !currentUser.getName().equals(principal)) {
        logger开发者_如何学编程.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");

Notice addition of principal!=null &&

This was found in spring-security-web-3.0.2.RELEASE.jar

If this is indeed a bug then I think I am working around it by adding the following override to my implementation:

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    if (getPreAuthenticatedPrincipal((HttpServletRequest) request) != null) {
        super.doFilter(request, response, chain);
    } else {
        //if the request did not include a preauthenticated principal then we should just continue are merry way down the filter chain
        chain.doFilter(request, response);
    }
}

Let me know if I am wrong about this being a bug and whether I missed anything in my workaround.


This is not a bug for the following reasons.

  • doAuthenticate() method returns without an error if preauthenticated principal is null.

  • In requiresAuthentication() method, you can turn on or off checkForPrincipalChanges

  • The following check happens only if currentUser is not null.

    if (checkForPrincipalChanges && !currentUser.getName().equals(principal)) {

This check should happen as it is, since there is indeed a change in principal - from a non-null currentUser to a null principal now.

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号