Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BasicAuthenticationFilter skips re-authentication if username changes and Authentication object is not UsernamePasswordAuthenticationToken #10347

Closed
pgeyman opened this issue Oct 6, 2021 · 2 comments
Closed

BasicAuthenticationFilter skips re-authentication if username changes and Authentication object is not UsernamePasswordAuthenticationToken #10347

pgeyman opened this issue Oct 6, 2021 · 2 comments
Assignees
@sjohnr
Labels
in: web An issue in web modules (web, webmvc) type: breaks-passivity A change that breaks passivity with the previous release type: enhancement A general enhancement
Milestone
6.0.0-RC1

Comments

@pgeyman
Copy link

pgeyman commented Oct 6, 2021
edited
Loading

Describe the bug
The BasicAuthenticationFilter skips re-authentication if the username changes in the basic authentication header and the Authentication object is not an instance of UsernamePasswordAuthenticationToken.

The BasicAuthenticationFilter contains an authenticationIsRequired method that is private and so cannot be overridden to add handling for different Authentication object types that may support UsernamePasswordAuthenticationToken style authentication, but do not inherit from the UsernamePasswordAuthenticationToken.

We have an Authentication class that is a wrapper around existing authentication instances to allow us to provide MFA functionality after the Basic Authentication mechanism succeeds.

To Reproduce

  • Configure Spring Security with a custom authentication provider that wraps the UsernamePasswordAuthenticationToken as a delegate.
  • Login with basic auth and maintain a session so the existing authentication is stored
  • Send a second request for the same session with different basic auth credentials and the authenticationIsRequired check is skipped and you carry on with the original user auth.

Expected behaviour
The BasicAuthenticationFilter should allow the authenticationIsRequired method to be overridden to allow additional checks for different Authentication types that support username/password but that cannot inherit from UsernamePasswordAuthenticationToken, to allow this SEC-348 security check to be performed.

For security reasons we should not have to clone the BasicAuthenticationFilter to achieve this.

Sample

To Follow
@pgeyman pgeyman added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Oct 6, 2021
@jzheaux jzheaux self-assigned this Oct 6, 2021
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Oct 6, 2021
shazin added a commit to shazin/spring-security that referenced this issue Mar 15, 2022
@shazin
Enabling authenticationIsRequired to be overridden for custom checks. F…
ffb59ac 
…ixes spring-projects#10347
@shazin shazin mentioned this issue Mar 15, 2022
Closed
@jzheaux
Copy link
Contributor

jzheaux commented Mar 17, 2022
edited
Loading

Given that this check was added for CAS and the CAS module is removed in 6.0.x, is the existingAuth instanceof UsernamePasswordAuthenticationToken check something that can also be removed in 6.0.x, @rwinch?

Or, if we leave it in, comparing it against a concrete Authentication type seems less flexible than comparing against an Authentication#getPrincipal interface type.

@rwinch
Copy link
Member

rwinch commented Jun 6, 2022

I think this can be removed for 6.0.x since CAS has been removed. It's important to note that the CAS code probably should have had a custom Authentication type rather than try to reuse UsernamePasswordAuthenticationToken.

@rwinch rwinch added this to the 6.0.x milestone Jun 6, 2022
@sjohnr sjohnr self-assigned this Jul 26, 2022
@jzheaux jzheaux mentioned this issue Aug 30, 2022
Closed
sjohnr pushed a commit that referenced this issue Sep 29, 2022
@shazin @sjohnr
Allow authenticationIsRequired to be overridden
1e0e9a2 
Issue gh-10347
@sjohnr sjohnr closed this as completed in e0e6467 Sep 29, 2022
@sjohnr sjohnr added the type: breaks-passivity A change that breaks passivity with the previous release label Sep 29, 2022
@sjohnr sjohnr modified the milestones: 6.0.x, 6.0.0-RC1 Sep 29, 2022
@marcusdacoregio marcusdacoregio mentioned this issue Nov 25, 2022
Closed
tech-c8y-github pushed a commit to SoftwareAG/cumulocity-clients-java that referenced this issue Sep 11, 2024
@jaro-herod
MTM-60160: the oauth based authentication fails with newer spring ver…
35e03d0 
…sion cause of change : spring-projects/spring-security#10347. The microservice proxy sends basic auth in combination with cookie authentication which now triggers re authentication as username don't match (#90)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
in: web An issue in web modules (web, webmvc) type: breaks-passivity A change that breaks passivity with the previous release type: enhancement A general enhancement
Projects
Spring Security Team
Archived in project
Milestone
6.0.0-RC1
Development

No branches or pull requests
4 participants
@rwinch @jzheaux @pgeyman @sjohnr