Spring Security
  1. Spring Security
  2. SEC-1078

WebSphere2SpringSecurityPropagationInterceptor creates an auth token with null credentials - rejected by pre-auth provider

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: Core
    • Labels:
      None

      Description

      WebSphere2SpringSecurityPropagationInterceptor creates a PreAuthenticatedAuthenticationToken request with the was username, and null credentials (line 55 in WebSphere2SpringSecurityPropagationInterceptor).

      Such an auth request will be rejected by corresponding provider, (PreAuthenticatedAuthenticationProvider, lines 73-80).

      I suggest to change the interceptor and follow what's in the WebSpherePreAuthenticatedProcessingFilter: the filter return "N/A" as the credentials, which is ok, since the pre-auth provider does not check credential values.

      Also, in order to unit test WAS stuff into the org.springframework.security.ui.preauth.websphere package, the WASSecurityHelper should be refactored into a non-static class - at least this would have prevented this bug. You will find attached a proposal for such a refactoring.

      1. WASSecurityHelper.java
        11 kB
        Gaetan Pitteloud
      2. WASSecurityHelper.java
        11 kB
        Gaetan Pitteloud

        Activity

        Hide
        Gaetan Pitteloud added a comment -

        oops, I found a typo in java file. Please look for the 2nd version.

        Show
        Gaetan Pitteloud added a comment - oops, I found a typo in java file. Please look for the 2nd version.
        Hide
        Gaetan Pitteloud added a comment -

        typo fix: method GroupsForCurrentUser() renamed to getGroupsForCurrentUser()

        Show
        Gaetan Pitteloud added a comment - typo fix: method GroupsForCurrentUser() renamed to getGroupsForCurrentUser()
        Hide
        Luke Taylor added a comment -

        Thanks a lot for the patch. Rather than retaining WASSecurityHelper as a static class, I've reimplemented it completely as an internally used interface, with a default implementation which does the WAS integration (similar to the approach you had within the static class). I've also added a test for the scenario you describe.

        I haven't tested this (and the related refactoring) in websphere so let me know if there are any issues.

        Show
        Luke Taylor added a comment - Thanks a lot for the patch. Rather than retaining WASSecurityHelper as a static class, I've reimplemented it completely as an internally used interface, with a default implementation which does the WAS integration (similar to the approach you had within the static class). I've also added a test for the scenario you describe. I haven't tested this (and the related refactoring) in websphere so let me know if there are any issues.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Gaetan Pitteloud
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: