Spring Security
  1. Spring Security
  2. SEC-2020

Using http@authentication-manager-ref prevents authentication-manager@erase-credential from working

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.1
    • Fix Version/s: 3.1.2
    • Component/s: Namespace
    • Labels:
      None

      Description

      In

      <sec:http realm="sample-realm" authentication-manager-ref="sampleAuthenticationManager"
            pattern="/sample">
            <sec:intercept-url pattern="/sample/*" access="ROLE_ADMIN" />
            <sec:http-basic />
      </sec:http>
      
      <sec:authentication-manager id="sampleAuthenticationManager" erase-credentials="false">
          <sec:authentication-provider ref="sampleAuthenticationProvider" />
      </sec:authentication-manager>
      

      HttpSecurityBeanDefinitionParser wraps "sampleAuthenticationManager" inside a new instance but forgets to pass the value associated to "erase-credentials".

      private BeanReference createAuthenticationManager(Element element, ParserContext pc,
                  ManagedList<BeanReference> authenticationProviders) {
              String parentMgrRef = element.getAttribute(ATT_AUTHENTICATION_MANAGER_REF);
              BeanDefinitionBuilder authManager = BeanDefinitionBuilder.rootBeanDefinition(ProviderManager.class);
              authManager.addConstructorArgValue(authenticationProviders);
      
              if (StringUtils.hasText(parentMgrRef)) {
                  authManager.addConstructorArgValue(new RuntimeBeanReference(parentMgrRef));
      [...]
      

      Credentials get always erased even with erase-credentials="false" in the parent.

        Activity

        Hide
        Rob Winch added a comment -

        Thank you for your contribution by submitting this issue with such a good description of the problem. I have pushed a fix to master.

        Show
        Rob Winch added a comment - Thank you for your contribution by submitting this issue with such a good description of the problem. I have pushed a fix to master.

          People

          • Assignee:
            Rob Winch
            Reporter:
            pascal gehl
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 0.5d
              0.5d
              Remaining:
              Remaining Estimate - 0.5d
              0.5d
              Logged:
              Time Spent - Not Specified
              Not Specified