Skip to content

Raise AuthenticationCredentialsNotFoundException if Principal is not present and declared as not optional#790

Closed
koenpunt wants to merge 2 commits intospring-projects:mainfrom
koenpunt:principal-nonnull
Closed

Raise AuthenticationCredentialsNotFoundException if Principal is not present and declared as not optional#790
koenpunt wants to merge 2 commits intospring-projects:mainfrom
koenpunt:principal-nonnull

Conversation

@koenpunt
Copy link
Contributor

@koenpunt koenpunt commented Sep 6, 2023

The issue with a non-null principal argument is more visible in Kotlin then it is in Java; in Java even when a function argument is annotated as non-null, it still accepts a null value for that parameter, but in Kotlin this results in a "can not assign null to non-null parameter" error.

By throwing a security error when the argument is non-null, and the principal isn't present in the security context, authentication errors can be handler in an exception resolver class, instead of resulting in an arbitrary internal error.

Fixes #714

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 6, 2023
@rstoyanchev rstoyanchev added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 14, 2023
@rstoyanchev rstoyanchev added this to the 1.2.3 milestone Sep 14, 2023
@rstoyanchev rstoyanchev changed the title Require authentication to be present when Principal is nonnull Raise AuthenticationCredentialsNotFoundException if Principal is not present and declared as not optional Sep 14, 2023
@rstoyanchev rstoyanchev mentioned this pull request Sep 14, 2023
Closed
rstoyanchev
rstoyanchev requested changes Sep 14, 2023
View reviewed changes
Copy link
Contributor

@rstoyanchev rstoyanchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good so far. However, we also have AuthenticationPrincipalArgumentResolver that probably needs a similar update.

@koenpunt
Copy link
Contributor Author

koenpunt commented Sep 14, 2023
edited
Loading

Updated it to reuse the doResolve method. Not sure if that's alright, or that maybe that method should now be moved to a more common place?

rstoyanchev pushed a commit that referenced this pull request Sep 14, 2023
@koenpunt @rstoyanchev
Raise exception if Principal is required but not present
c244332 
See gh-790
rstoyanchev added a commit that referenced this pull request Sep 14, 2023
@rstoyanchev
Polishing contribution
a960132 
See gh-790
@rstoyanchev
Copy link
Contributor

rstoyanchev commented Sep 14, 2023
edited
Loading

This is now processed, thanks for the changes! I've made some small adjustments, notably to treat Mono as optional since can it be empty.

@koenpunt
Copy link
Contributor Author

koenpunt commented Sep 14, 2023

Great! Although I didn't expect this to get merged right away, and I think it might need some additional tests for the @AuthenticationPrincipal?

@rstoyanchev
Copy link
Contributor

rstoyanchev commented Sep 15, 2023

You can submit a PR in draft mode in that case. Overall seems alright to me. The resolver for @AuthenticationPrincipal delegates to the resolver for Principal and that is already tested. If you'd like to add more tests, send another PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rstoyanchev rstoyanchev rstoyanchev approved these changes

Assignees

No one assigned

Labels

type: enhancement A general enhancement

Projects

None yet

Milestone

1.2.3

Development

Successfully merging this pull request may close these issues.

Raise AuthenticationCredentialsNotFoundException if Principal is not present and declared as not optional

3 participants

@koenpunt @rstoyanchev @spring-projects-issues