`JwtAuthenticationProvider` should use provided authentication details
ch4mpy opened this issue · comments
Describe the bug
JwtAuthenticationProvider
delegates the instantiation of an Authentication
to a Converter<Jwt, ? extends AbstractAuthenticationToken>
but it then alters returned value details
property.
For framework user providing a Converter<Jwt, AbstractAuthenticationToken>
bean which sets authentication details, this means he won't get the details he had set when later accessing the authentication (from security expressions for instance).
Please note that JwtReactiveAuthenticationManager
, the reactive pendant of JwtAuthenticationProvider
written by @rwinch , does not set details
after the Authentication is returned by the converter.
To Reproduce
- Create a
DemoAuthentication extends AbstractAuthenticationToken
class which sets details in constructor and make it immutable (overridesetDetails
to throw an exception) - Configure a resource-server with JWT decoder and a
Converter<Jwt, DemoAuthentication>
An exception will be thrown by JwtAuthenticationProvider
as soon as a request is submitted with a valid JWT.
Expected behavior
This kind of side effect on Authentication instance is a problem when the framework user has provided a jwtAuthenticationConverter which intentionally set authentication details
.
Ideally, details
property would be set by the jwtAuthenticationConverter
(not the JwtAuthenticationProvider
).
Other sollution with minimum code impact would be preventing JwtAuthenticationProvider
to touch authentication details
when it is not null.
Sample
https://github.com/ch4mpy/spring-security-11822
- edit application.properties to point to your favorite authorization-server
- get a JWT access-token
- edit
TOKEN
value inSpringSecurity11822ApplicationTests
- run
SpringSecurity11822ApplicationTests