Spring Security
  1. Spring Security
  2. SEC-1867

Unsafe authentication.getCredentials.toString() especially when credentials is now null by default since 3.0

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.1.0
    • Fix Version/s: 3.1.1
    • Component/s: Core
    • Environment:
      spring 3.0.6, spring security 3.1.1 20111209 snapshot, multiple http, cas, local, and auth via rmi.

      Description

      Line 69 of ContextPropagatingRemoteInvocation:
      if (currentUser != null)

      { principal = currentUser.getName(); credentials = currentUser.getCredentials().toString(); <<< }

      if credentials is null, which by is by default per SEC-1493, the whole thing blows up. Blowing up is fine, fast fail and all, but maybe a message or something. Thanks.

        Activity

        Hide
        Rob Winch added a comment -

        I have pushed a fix into master.

        I am a bit hesitent to fail fast as we do not know if a null password is acceptable (perhaps the principal is all that is used for authentication). Therefore I updated the code to perform a null check prior to calling the toString on it. If the credential is null, a debug statement is logged stating as such.

        Show
        Rob Winch added a comment - I have pushed a fix into master. I am a bit hesitent to fail fast as we do not know if a null password is acceptable (perhaps the principal is all that is used for authentication). Therefore I updated the code to perform a null check prior to calling the toString on it. If the credential is null, a debug statement is logged stating as such.

          People

          • Assignee:
            Rob Winch
            Reporter:
            Mark Liu
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: