BasicAuthenticationFilter skips re-authentication if username changes and Authentication object is not UsernamePasswordAuthenticationToken #10347
Description
Describe the bug
The BasicAuthenticationFilter skips re-authentication if the username changes in the basic authentication header and the Authentication object is not an instance of UsernamePasswordAuthenticationToken.
The BasicAuthenticationFilter contains an authenticationIsRequired method that is private and so cannot be overridden to add handling for different Authentication object types that may support UsernamePasswordAuthenticationToken style authentication, but do not inherit from the UsernamePasswordAuthenticationToken.
We have an Authentication class that is a wrapper around existing authentication instances to allow us to provide MFA functionality after the Basic Authentication mechanism succeeds.
To Reproduce
- Configure Spring Security with a custom authentication provider that wraps the
UsernamePasswordAuthenticationTokenas a delegate. - Login with basic auth and maintain a session so the existing authentication is stored
- Send a second request for the same session with different basic auth credentials and the
authenticationIsRequiredcheck is skipped and you carry on with the original user auth.
Expected behaviour
The BasicAuthenticationFilter should allow the authenticationIsRequired method to be overridden to allow additional checks for different Authentication types that support username/password but that cannot inherit from UsernamePasswordAuthenticationToken, to allow this SEC-348 security check to be performed.
For security reasons we should not have to clone the BasicAuthenticationFilter to achieve this.
Sample
To Follow