spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Prevent JwtAuthenticationProvider from setting authentication details when jwtAuthenticationConverter returned an authentication instance with non null details

Open ch4mpy opened this issue 3 years ago • 4 comments

This could fix gh-11822

ch4mpy avatar Sep 15 '22 20:09 ch4mpy

@sjohnr done

ch4mpy avatar Sep 16 '22 20:09 ch4mpy

@sjohnr anything more needed on this PR?

ch4mpy avatar Sep 22 '22 16:09 ch4mpy

@ch4mpy, thanks for asking! I don't think so, but I'm heads down on a few other things and will circle back to this a bit later.

sjohnr avatar Sep 22 '22 21:09 sjohnr

@sjohnr rebased on main and updated copyright.

P.S. Well, the scenario in which one sets detail in authentication converter and this details being overriden by the framework is the exact one a team I know went through and none expected to have details "lost". Reason for me opening the ticket as a "bug". Of course, whith my recent contribution on introspection and the discussions we had about this behavior, it didn't take me long to spot their problem and provide them with a work around.

I hadn't considered it an expected "feature", which is why I initialy based the PR on 5.8

ch4mpy avatar Sep 26 '22 19:09 ch4mpy

Any plan to merge this sometime? This would allow me to use immutable Authentication implementations in servlets with JWT decoder (can currently do it in reactive apps only).

ch4mpy avatar Nov 07 '22 01:11 ch4mpy

Hi @ch4mpy!

Any plan to merge this sometime?

Apologies, I wasn't able to circle back to this in time for RC1. I'm going to schedule this for 6.1 as I'd prefer to hold off on any code enhancements in the RC phase of 6.0. I'll merge this after the GA release.

sjohnr avatar Nov 07 '22 22:11 sjohnr

This is merged via 7ad4ebd07ad0c3c8a507cf68bb35308b6595042a

sjohnr avatar Dec 13 '22 00:12 sjohnr