BasicAuthenticationFilter skips re-authentication if username changes and Authentication object is not UsernamePasswordAuthenticationToken #10347
Labels
in: web
An issue in web modules (web, webmvc)
type: breaks-passivity
A change that breaks passivity with the previous release
type: enhancement
A general enhancement
Milestone
Describe the bug
The
BasicAuthenticationFilter
skips re-authentication if the username changes in the basic authentication header and theAuthentication
object is not an instance ofUsernamePasswordAuthenticationToken
.The
BasicAuthenticationFilter
contains anauthenticationIsRequired
method that is private and so cannot be overridden to add handling for different Authentication object types that may supportUsernamePasswordAuthenticationToken
style authentication, but do not inherit from theUsernamePasswordAuthenticationToken
.We have an Authentication class that is a wrapper around existing authentication instances to allow us to provide MFA functionality after the Basic Authentication mechanism succeeds.
To Reproduce
UsernamePasswordAuthenticationToken
as a delegate.authenticationIsRequired
check is skipped and you carry on with the original user auth.Expected behaviour
The
BasicAuthenticationFilter
should allow theauthenticationIsRequired
method to be overridden to allow additional checks for differentAuthentication
types that support username/password but that cannot inherit fromUsernamePasswordAuthenticationToken
, to allow this SEC-348 security check to be performed.For security reasons we should not have to clone the
BasicAuthenticationFilter
to achieve this.Sample
To Follow
The text was updated successfully, but these errors were encountered: