Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DelegatingNegotiateSecurityFilter is not using the customAuthentication returned from the delegated authentication manager for the call to the success handler. #453

Closed
mstittle opened this issue Dec 19, 2016 · 5 comments · Fixed by #956
Closed

DelegatingNegotiateSecurityFilter is not using the customAuthentication returned from the delegated authentication manager for the call to the success handler. #453

mstittle opened this issue Dec 19, 2016 · 5 comments · Fixed by #956

Comments

@mstittle
Copy link

DelegatingNegotiateSecurityFilter is not using the customAuthentication returned from the delegated authentication manager for the call to the success handler.

protected boolean setAuthentication(final HttpServletRequest request, final HttpServletResponse response,
            final Authentication authentication) {
        try {
            if (this.authenticationManager != null) {
                DelegatingNegotiateSecurityFilter.LOGGER.debug("Delegating to custom authenticationmanager");
                final Authentication customAuthentication = this.authenticationManager.authenticate(authentication);
                SecurityContextHolder.getContext().setAuthentication(customAuthentication);
            }
            if (this.authenticationSuccessHandler != null) {
                try {
                    this.authenticationSuccessHandler.onAuthenticationSuccess(request, response, authentication);
                } catch (final IOException | ServletException e) {
                    DelegatingNegotiateSecurityFilter.LOGGER.warn("Error calling authenticationSuccessHandler: {}",
                            e.getMessage());
                    DelegatingNegotiateSecurityFilter.LOGGER.trace("", e);
                    return false;
                }
            }`
@hazendaz
Copy link
Member

@mstittle Can you be a little more explicit as to what the issue is? For example, if that is our source code, please indicate exactly what lines are wrong. Also, PR would be welcome.

@mstittle
Copy link
Author

the authentication manager delegate is invoked with the authentication object passed to setAuthentication(). The authentication manager delegate creates a new custom authentication object with different roles (per my custom logic). This is returned as the customAuthentication instance which is passed to the SecurityContextHolder.getContext().setAuthentication(customAuthentication);

I also have a authenticationSuccessHandler configured but per the source code above this is not passed the customAuthentication rather the original authentication instance hence the authenticationSuccessHandler is working from the original authentication object and roles. My handler is looking for the custom roles but in the this case they won't be present. Make sense?

@hazendaz
Copy link
Member

Yes, any chance you can raise a pull request on this? I'm a bit tied up with another project so won't be able to get to this soon and I know a number of folks are waiting for next official release. So would be wonderful to get a fix in time to make the release. The release itself is all but done so fixing this would be a big plus ;)

@cmolodo
Copy link
Contributor

cmolodo commented Jun 11, 2020

I've run into this issue as well. I'll create a pull request to fix.

cmolodo added a commit to cmolodo/waffle that referenced this issue Jun 11, 2020
@cmolodo
Fix DelegatingNegotiateSecurityFilter use of custom auth
e5f6fe3 
For the SpringSecurity 4 and 5 modules DelegatingNegotiateSecurityFilter, if both a custom AuthenticationManager and a custom AuthenticationSuccessHandler are specified, the custom Authentication is added to the SecurityContext, but is not passed to the custom success handler.  This means the context has a different Authentication than the success handler.

This is fixed for both spring security modules.

Issues:
Waffle#453
@cmolodo cmolodo mentioned this issue Jun 11, 2020
Merged
@hazendaz
Copy link
Member

solved in #956

hazendaz added a commit that referenced this issue Jun 11, 2020
@hazendaz
[ci] Add changelog for fix to #453 on PR #956
a014226
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix DelegatingNegotiateSecurityFilter use of custom auth cmolodo/waffle
3 participants
@mstittle @hazendaz @cmolodo