Summary
I'm using spring boot webapp with security. Passwords of my users are stored in my DB after encoding with bcrypt. With some users if I try to login with correct username and blank password (empty string) authentication process not throw exception 401 but return me user as logged. How is it possible?
Actual Behavior
return logged user
Expected Behavior
throw exception 401 but return me user as logged
Configuration
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
public static final String REMEMBER_ME_KEY = "rememberme_key";
@Autowired
private CustomUserDetailsService userDetailsService;
@Autowired
private RestUnauthorizedEntryPoint restAuthenticationEntryPoint;
@Autowired
private AccessDeniedHandler restAccessDeniedHandler;
@Autowired
private AuthenticationSuccessHandler restAuthenticationSuccessHandler;
@Autowired
private AuthenticationFailureHandler restAuthenticationFailureHandler;
@Autowired
private RememberMeServices rememberMeServices;
@Autowired
private BCryptPasswordEncoder bcryptEncoder;
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bcryptEncoder);
}
@Bean
public AuthenticationTokenFilter authenticationTokenFilterBean() throws Exception {
AuthenticationTokenFilter authenticationTokenFilter = new AuthenticationTokenFilter();
authenticationTokenFilter.setAuthenticationManager(authenticationManagerBean());
return authenticationTokenFilter;
}
@Bean
public SwitchUserFilter switchUserFilter() {
SwitchUserFilter filter = new SwitchUserFilter();
filter.setUserDetailsService(userDetailsService);
filter.setUsernameParameter("login");
filter.setSwitchUserUrl("/switch_user");
filter.setExitUserUrl("/switch_user_exit");
filter.setTargetUrl("/users/me");
filter.setSwitchFailureUrl("/version");
return filter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers().disable()
.csrf().disable()
.authorizeRequests()
.antMatchers("/switch_user").hasAnyRole("ADMIN", "GOD")
.antMatchers("/switch_user_exit").hasRole("PREVIOUS_ADMINISTRATOR")
.antMatchers("/static/**").permitAll()
.antMatchers("/users").permitAll()
.antMatchers("/version").permitAll()
.antMatchers("/ms3/**").permitAll()
.antMatchers("/form/**").permitAll()
.antMatchers("/extapi/**").permitAll()
.anyRequest().authenticated()
.and()
.authorizeRequests()
.antMatchers("/api/**").authenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(restAuthenticationEntryPoint)
.accessDeniedHandler(restAccessDeniedHandler)
.and()
.formLogin()
.loginProcessingUrl("/authenticate")
.successHandler(restAuthenticationSuccessHandler)
.failureHandler(restAuthenticationFailureHandler)
.usernameParameter("username")
.passwordParameter("password")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler())
.deleteCookies("JSESSIONID")
.permitAll().and().rememberMe()
.rememberMeServices(rememberMeServices)
.key(REMEMBER_ME_KEY)
.and().addFilterAfter(switchUserFilter(), FilterSecurityInterceptor.class);
http
.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
}
Version
- SpringBoot 1.3.3_RELEASE
- SpringSecurity 4.0.3_RELEASE
Comment From: marcusdacoregio
Hi @scne,
I apologize beforehand, I know that it's been a while since this issue was opened.
With the code provided, I couldn't simulate the problem. If this is still a problem for someone else, a minimal, reproducible sample would be helpful.
Comment From: marcusdacoregio
I'll close this for now but we can always reopen it if someone has this problem.