Set details on authentication token created by HttpServlet3RequestFactory

Currently the login mechanism when triggered by executing HttpServlet3RequestFactory#login does not set any details on the underlying authentication token that is authenticated.

This change adds an AuthenticationDetailsSource on the HttpServlet3RequestFactory, which defaults to a WebAuthenticationDetailsSource.

Closes gh-9579
This commit is contained in:
Karl Tinawi
2021-04-11 15:13:13 +01:00
committed by Steve Riesenberg
parent be802f57ba
commit c57fc309c2
4 changed files with 71 additions and 1 deletions

View File

@@ -30,6 +30,7 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.TestingAuthenticationToken;
@@ -149,6 +150,15 @@ public class ServletApiConfigurerTests {
verify(SharedTrustResolverConfig.TR, atLeastOnce()).isAnonymous(any());
}
@Test
public void configureWhenSharedObjectAuthenticationDetailsSourceThenAuthenticationDetailsSourceUsed() {
this.spring.register(SharedAuthenticationDetailsSourceConfig.class).autowire();
SecurityContextHolderAwareRequestFilter scaFilter = getFilter(SecurityContextHolderAwareRequestFilter.class);
AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = getFieldValue(scaFilter,
"authenticationDetailsSource");
assertThat(authenticationDetailsSource).isEqualTo(SharedAuthenticationDetailsSourceConfig.ADS);
}
@Test
public void requestWhenServletApiWithDefaultsInLambdaThenUsesDefaultRolePrefix() throws Exception {
this.spring.register(ServletApiWithDefaultsInLambdaConfig.class, AdminController.class).autowire();
@@ -321,6 +331,22 @@ public class ServletApiConfigurerTests {
}
@EnableWebSecurity
static class SharedAuthenticationDetailsSourceConfig extends WebSecurityConfigurerAdapter {
@SuppressWarnings("unchecked")
static AuthenticationDetailsSource<HttpServletRequest, ?> ADS = spy(AuthenticationDetailsSource.class);
@Override
protected void configure(HttpSecurity http) {
// @formatter:off
http
.setSharedObject(AuthenticationDetailsSource.class, ADS);
// @formatter:on
}
}
@EnableWebSecurity
static class ServletApiWithDefaultsInLambdaConfig extends WebSecurityConfigurerAdapter {