Correctly support fallback to local-users in the absence of SAML2 attributes when both local-users and preauth are active (!3) · Merge requests · adi-ia / uw-spring-security

Nicholas Blair requested to merge npblair/uw-spring-security:highlander into master Feb 02, 2016

The theme for this pull request:

This refactor was needed as the prior code did not fully support the 'combined' approach with both local-users and preauth. In the previous iteration, 2 WebSecurityConfigurerAdapters and as a result, 2 HttpSecurity instances would have been registered, only one having any affect (typically the preauth, but not guarantees). Spring Security does not provide support for multiple HttpSecurity instances, there should be only one.

With this pull request, there is now only one WebSecurityConfigurerAdapter, whose sole purpose is to collect all HttpSecurityAmenders and execute their callback at the right time. Te existing WebSecurityConfiguration classes for both profiles have been retrofitted to produce HttpSecurityAmenders that perform the desired behavior. The test cases provided in the sample-war have been updated to provide 2 combined test paths:

1 that has both profiles active, but demonstrates how fallback to HTTP Basic works, and
1 that has both profiles active, and includes the simulation filter to produce a successful preauthentication.

Admin message

Correctly support fallback to local-users in the absence of SAML2 attributes when both local-users and preauth are active

Merge request reports