Spring Security PreAuthentication checkForPrincipalChanges bug?
Is this a bug in Spring Security?
org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter line:134
...
Object principal = getPreAuthenticatedPrincipal(request);
if (checkForPrincipalChanges &&
!currentUser.getName().equals(principal)) {
logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");
...
Shouldn't it consider a null preAuthenticatedPrincipal to be a non change?
I shouldn't have to send the preAuthenticatedPrincipal with every request should I?
Shouldn't there be a check to see if this value is null?
Shouldn't this be
Object principal = getPreAuthenticatedPrincipal(request);
if (checkForPrincipalChanges &&
principal!=null &&
!currentUser.getName().equals(principal)) {
logger开发者_如何学编程.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");
Notice addition of principal!=null &&
This was found in spring-security-web-3.0.2.RELEASE.jar
If this is indeed a bug then I think I am working around it by adding the following override to my implementation:
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if (getPreAuthenticatedPrincipal((HttpServletRequest) request) != null) {
super.doFilter(request, response, chain);
} else {
//if the request did not include a preauthenticated principal then we should just continue are merry way down the filter chain
chain.doFilter(request, response);
}
}
Let me know if I am wrong about this being a bug and whether I missed anything in my workaround.
This is not a bug for the following reasons.
doAuthenticate()
method returns without an error if preauthenticated principal isnull
.In
requiresAuthentication(
) method, you can turn on or offcheckForPrincipalChanges
The following check happens only if
currentUser
is notnull
.if (checkForPrincipalChanges && !currentUser.getName().equals(principal)) {
This check should happen as it is, since there is indeed a change in principal - from a non-null currentUser
to a null principal
now.
精彩评论