Spring Security
  1. Spring Security
  2. SEC-1384

DefaultWebInvocationPrivilegeEvaluator bypass the accessDecisionManager when authorities are empty

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.1
    • Fix Version/s: 3.0.2
    • Component/s: Web
    • Labels:
      None

      Description

      defaultWebInvocationPrivilegeEvaluator.isAllowed(...) always return false when authorities are empty.

      Here is the simple security configuration used:

      <http access-decision-manager-ref="accessDecisionManager">
      <intercept-url pattern="/images/**" filters="none" />
      <intercept-url pattern="/scripts/**" filters="none" />
      <intercept-url pattern="/styles/**" filters="none" />
      <intercept-url pattern="/csmprobe.html*" filters="none" />
      <intercept-url pattern="/login.htm*" access="ROLE_ANONYMOUS" />
      <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
      <form-login login-page="/login.htm"
      always-use-default-target="true"
      default-target-url="/siteSelection.htm"
      authentication-failure-url="/login.htm?login_error=1" />
      <logout />
      </http>

      <ldap-server
      url="$

      {ldap.url}

      /$

      {ldap.base}

      "
      manager-dn="$

      {ldap.managerDn}

      "
      manager-password="$

      {ldap.managerPassword}

      " />

      <authentication-manager alias="authenticationManager">
      <ldap-authentication-provider user-search-filter="(uid=

      {0}

      )"
      user-search-base="$

      {ldap.userSearchBase}

      "
      group-search-base="$

      {ldap.groups}

      " />
      </authentication-manager>

      <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
      <beans:property name="decisionVoters">
      <beans:list>
      <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
      <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
      </beans:list>
      </beans:property>
      </beans:bean>

      Users with no authorities have access to all pages (IS_AUTHENTICATED_FULLY) according to the filter configuration but defaultWebInvocationPrivilegeEvaluator.isAllowed(...) says the opposite. The implementation has this check:

      if (authentication == null || authentication.getAuthorities().isEmpty())

      { return false; }

      authentication.getAuthorities().isEmpty() should be removed to allow decision voters do their work.

        Activity

        Hide
        Ferdinand Marques Nunes added a comment -

        My workaround consists to implement the UserDetailsContextMapper and add to the authorities collection a default role (any dummy value prefixed by 'ROLE_').

        Show
        Ferdinand Marques Nunes added a comment - My workaround consists to implement the UserDetailsContextMapper and add to the authorities collection a default role (any dummy value prefixed by 'ROLE_').

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Ferdinand Marques Nunes
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: