-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DelegatingNegotiateSecurityFilter is not using the customAuthentication returned from the delegated authentication manager for the call to the success handler. #453
Comments
@mstittle Can you be a little more explicit as to what the issue is? For example, if that is our source code, please indicate exactly what lines are wrong. Also, PR would be welcome. |
the authentication manager delegate is invoked with the authentication object passed to setAuthentication(). The authentication manager delegate creates a new custom authentication object with different roles (per my custom logic). This is returned as the customAuthentication instance which is passed to the SecurityContextHolder.getContext().setAuthentication(customAuthentication); I also have a authenticationSuccessHandler configured but per the source code above this is not passed the customAuthentication rather the original authentication instance hence the authenticationSuccessHandler is working from the original authentication object and roles. My handler is looking for the custom roles but in the this case they won't be present. Make sense? |
Yes, any chance you can raise a pull request on this? I'm a bit tied up with another project so won't be able to get to this soon and I know a number of folks are waiting for next official release. So would be wonderful to get a fix in time to make the release. The release itself is all but done so fixing this would be a big plus ;) |
I've run into this issue as well. I'll create a pull request to fix. |
For the SpringSecurity 4 and 5 modules DelegatingNegotiateSecurityFilter, if both a custom AuthenticationManager and a custom AuthenticationSuccessHandler are specified, the custom Authentication is added to the SecurityContext, but is not passed to the custom success handler. This means the context has a different Authentication than the success handler. This is fixed for both spring security modules. Issues: Waffle#453
solved in #956 |
DelegatingNegotiateSecurityFilter is not using the customAuthentication returned from the delegated authentication manager for the call to the success handler.
The text was updated successfully, but these errors were encountered: