Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-693

WSS4J SpringDigestPasswordValidationCallbackHandler uses WSUsernameTokenPrincipal instead of UserDetails for creating authentication token?

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Invalid
    • Affects Version/s: 1.5.9
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None

      Description

      I'm using SpringDigestPasswordValidationCallbackHandler for WSS4J Authentication.
      The Handler correctly stores a UsernamePasswordAuthenticationToken in the SecurityContext when the user is correctly authenticated, the problem is that this Token does not contain a reference to my custom UserDetails (as the Principal) but it references the original WSUsernameTokenPrincipal read from the Callback.

      This is the code that handles SecurityContextHolder:

          protected void handleUsernameTokenPrincipal(UsernameTokenPrincipalCallback callback)
                  throws IOException, UnsupportedCallbackException {
              UserDetails user = loadUserDetails(callback.getPrincipal().getName());
              WSUsernameTokenPrincipal principal = callback.getPrincipal();
              UsernamePasswordAuthenticationToken authRequest =
                      new UsernamePasswordAuthenticationToken(principal, principal.getPassword(), user.getAuthorities());
              if (logger.isDebugEnabled()) {
                  logger.debug("Authentication success: " + authRequest.toString());
              }
              SecurityContextHolder.getContext().setAuthentication(authRequest);
          }
      

      I think that the Token should reference the UserDetails object as follows:

              UsernamePasswordAuthenticationToken authRequest =
                      new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());
      

      so that the SecurityContext contains my custom implementation of the UserDetails object...

      Is this the intended behaviour?

        Attachments

          Activity

            People

            • Assignee:
              arjen.poutsma Arjen Poutsma
              Reporter:
              ferrerogg Gianni Ferrero
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: