SEC-2533: Global AuthenticationManagerBuilder disables clearing child…

… credentials
DexingGong · Mar 25, 2014 · c411014 · c411014
1 parent cb0549a
commit c411014
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/...work/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java b/...work/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java
@@ -78,6 +78,9 @@ public AuthenticationManagerBuilder(ObjectPostProcessor<Object> objectPostProces
      */
     public AuthenticationManagerBuilder parentAuthenticationManager(
             AuthenticationManager authenticationManager) {
+        if(authenticationManager instanceof ProviderManager) {
+            eraseCredentials(((ProviderManager) authenticationManager).isEraseCredentialsAfterAuthentication());
+        }
         this.parentAuthenticationManager = authenticationManager;
         return this;
     }

diff --git a/...work/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.groovy b/...work/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.groovy
@@ -15,6 +15,7 @@
  */
 package org.springframework.security.config.annotation.authentication
 
+import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.authentication.AuthenticationManager
@@ -89,4 +90,25 @@ class NamespaceAuthenticationManagerTests extends BaseSpringSpec {
             return super.authenticationManagerBean();
         }
     }
+
+    def "SEC-2533: global authentication-manager@erase-credentials=false"() {
+        when:
+            loadConfig(GlobalEraseCredentialsFalseConfig)
+            Authentication auth = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("user","password"))
+        then:
+            auth.credentials == "password"
+            auth.principal.password == "password"
+    }
+
+    @EnableWebSecurity
+    @Configuration
+    static class GlobalEraseCredentialsFalseConfig extends WebSecurityConfigurerAdapter {
+        @Autowired
+        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+            auth
+                .eraseCredentials(false)
+                .inMemoryAuthentication()
+                    .withUser("user").password("password").roles("USER")
+        }
+    }
 }