SEC-2533: Global AuthenticationManagerBuilder disables clearing child credentials

Rob Winch · Rob Winch · commit c411014c24ce · 2014-03-25T13:05:44.000-05:00
diff --git a/config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java b/config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java
@@ -78,6 +78,9 @@ public AuthenticationManagerBuilder(ObjectPostProcessor<Object> objectPostProces
      */
     public AuthenticationManagerBuilder parentAuthenticationManager(
             AuthenticationManager authenticationManager) {
+        if(authenticationManager instanceof ProviderManager) {
+            eraseCredentials(((ProviderManager) authenticationManager).isEraseCredentialsAfterAuthentication());
+        }
         this.parentAuthenticationManager = authenticationManager;
         return this;
     }
diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/authentication/NamespaceAuthenticationManagerTests.groovy
@@ -15,6 +15,7 @@
  */
 package org.springframework.security.config.annotation.authentication
 
+import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.authentication.AuthenticationManager
@@ -89,4 +90,25 @@ class NamespaceAuthenticationManagerTests extends BaseSpringSpec {
             return super.authenticationManagerBean();
         }
     }
+
+    def "SEC-2533: global authentication-manager@erase-credentials=false"() {
+        when:
+            loadConfig(GlobalEraseCredentialsFalseConfig)
+            Authentication auth = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("user","password"))
+        then:
+            auth.credentials == "password"
+            auth.principal.password == "password"
+    }
+
+    @EnableWebSecurity
+    @Configuration
+    static class GlobalEraseCredentialsFalseConfig extends WebSecurityConfigurerAdapter {
+        @Autowired
+        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+            auth
+                .eraseCredentials(false)
+                .inMemoryAuthentication()
+                    .withUser("user").password("password").roles("USER")
+        }
+    }
 }
