Spring Security
  1. Spring Security
  2. SEC-1967

AbstractSecurityInterceptor subclasses do not restore original SecurityContext when using RunAsManager and an Exception is thrown

    Details

      Description

      when i annotate a method with @Secured(

      {"ROLE_ANONYMOUS", "RUN_AS_ADMIN"}

      ) the RunAsToken is not cleared correctly if this method throws an exception. The reason is because the org.springframework.security.access.intercept.AbstractSecurityInterceptor.afterInvocation(InterceptorStatusToken, Object) is not invoked where the code resides which refreshes the context-holder

      if (token.isContextHolderRefreshRequired()) {
      if (logger.isDebugEnabled())

      { logger.debug("Reverting to original Authentication: " + token.getSecurityContext().getAuthentication()); }

      SecurityContextHolder.setContext(token.getSecurityContext());
      }

      either the interceptor should ensure this code is called if the method threw an exception or the org.springframework.security.access.intercept.aspectj.aspect.AnnotationSecurityAspect.class should call do it or something similar.

      What would be the best approach to workaround such a bug until this is fixed? Implementing my own interceptor?

      I observed this behavior when my password-reset-page was submitted with two different passwords which lead to the password-validator-component throwing an exception inside a method which is annotated with a @Secured-Annotation containing a RUN_AS_ attribute. After that the user is considered to be fully-authenticated.

        Issue Links

          Activity

          Hide
          Rob Winch added a comment -

          This issue is related to SEC-1635 since the removal of the finally block is what caused this.

          Show
          Rob Winch added a comment - This issue is related to SEC-1635 since the removal of the finally block is what caused this.

            People

            • Assignee:
              Rob Winch
              Reporter:
              Christian Proinger
            • Votes:
              4 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 2d
                2d
                Remaining:
                Remaining Estimate - 2d
                2d
                Logged:
                Time Spent - Not Specified
                Not Specified