Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-1967

AbstractSecurityInterceptor subclasses do not restore original SecurityContext when using RunAsManager and an Exception is thrown

    Details

      Description

      when i annotate a method with @Secured(

      {"ROLE_ANONYMOUS", "RUN_AS_ADMIN"}

      ) the RunAsToken is not cleared correctly if this method throws an exception. The reason is because the org.springframework.security.access.intercept.AbstractSecurityInterceptor.afterInvocation(InterceptorStatusToken, Object) is not invoked where the code resides which refreshes the context-holder

      if (token.isContextHolderRefreshRequired()) {
      if (logger.isDebugEnabled())

      { logger.debug("Reverting to original Authentication: " + token.getSecurityContext().getAuthentication()); }

      SecurityContextHolder.setContext(token.getSecurityContext());
      }

      either the interceptor should ensure this code is called if the method threw an exception or the org.springframework.security.access.intercept.aspectj.aspect.AnnotationSecurityAspect.class should call do it or something similar.

      What would be the best approach to workaround such a bug until this is fixed? Implementing my own interceptor?

      I observed this behavior when my password-reset-page was submitted with two different passwords which lead to the password-validator-component throwing an exception inside a method which is annotated with a @Secured-Annotation containing a RUN_AS_ attribute. After that the user is considered to be fully-authenticated.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rwinch Rob Winch
                Reporter:
                autumn85 Christian Proinger
              • Votes:
                4 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 2d
                  2d
                  Remaining:
                  Remaining Estimate - 2d
                  2d
                  Logged:
                  Time Spent - Not Specified
                  Not Specified