SEC-1962: add cache-ref to authenticaiton-provider, add allow-empty-authorities to java-user-service

[spring-projects-issues]

Xu Huisheng (Migrated from SEC-1962) said:

add cache-ref to <authenticaiton-provider>

At this time, we could use the cache-ref attribute in user-detail-service. It seems to create a new instance of CacheUserDetailsService to cache the UserDetails, but if you only set userCache of JdbcDaoImpl, it will cause an Exception. Because JdbcDaoImpl will evict the password, so if the same user do logout, and try to login again, it will said that the credencial is not correct, then the user cannot login the system since the cache expired.

So the cache-ref of user-detail-service is confused, although it will be set to DaoAuthenticaitonProvider, but create a CacheuserDetailService is such a waste. So I wish there would be a cache-ref for authentication-provider to do same thing, and more meaningful.

add allow-empty-authorities to <java-user-service>

If the login user has no authorities, there will always throw an UserNotFoundException, I wish there could be an attribute to control whether we should throw an exception. so add allow-empty-authorities to do such thing.

The pull request is here: #7

Please review it. Thank you very much.

[spring-projects-issues]

Rob Winch said:

Closing as Won't Fix for the following reasons:

• The allow-empty-authorities is unnecessary since you can create a query that defaults in roles. For example you could use the following query
  select username, 'ROLE_USER' from myusers where username = ?
• You can still use the cache, you just need to specify erase-credentials="false" I have created SEC-2019 to perform some validation around this to prevent this misconfiguration.

A few additional points for making future requests:

• Break up each feature into its own JIRA. This is important because one feature may get accepted and another may be rejected, one feature may be faster to implement etc.
• Please review the Contributor Guidelines for submission of code. A few things to pay attention to include: Run all tests prior to submission, Submit JUnit test cases for all behavioral changes, commit comment formats, etc.

[spring-projects-issues]

Xu Huisheng said:

Hi Rob, Thank you for you advices for contribution.

Although I can use your suggestion to avoid empty authorities check, it will cause user has meaningless authority. I have to check twice in my code, to decide which user have authorities and which user has no authorities then should be set a special authority, e.g. 'ROLE_NOTHING', that is not pretty.
So if you don't mind, I will create another issue for allow-empty-authorities and do another pull request.

Waiting for you reply.

[spring-projects-issues]

Rob Winch said:

Not having roles blurs the line of authentication vs authorization. Additionally, while ROLE_NOTHING seems "not pretty", ROLE_USER seems very logical (they are a user after all).

[spring-projects-issues]

Xu Huisheng said:

OK, I got what you mean. Actually, one without any Roles is weired.
What I am working on is achieving the 'shiro style permission' in SpringSecurity, So one without any Permissions is normal, I think I could launch a new discussion after finishing my job.

Thank you for your reply :)