From 75d03240199bb23fe37391fa6006b7c9443de53e Mon Sep 17 00:00:00 2001 From: Stephen Joyner Date: Wed, 7 Oct 2020 08:10:59 -0500 Subject: [PATCH] Returns the name of the authenticated principle instead of falling through to the toString() method which may render a string representation of the entire object rather than a username. --- ...urityContextHolderAwareRequestWrapper.java | 4 ++++ ...ContextHolderAwareRequestWrapperTests.java | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java b/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java index e9d434e4e00..147a9c5944f 100644 --- a/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java +++ b/web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapper.java @@ -24,6 +24,7 @@ import org.springframework.security.authentication.AuthenticationTrustResolver; import org.springframework.security.authentication.AuthenticationTrustResolverImpl; +import org.springframework.security.core.AuthenticatedPrincipal; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; @@ -106,6 +107,9 @@ public String getRemoteUser() { if (auth.getPrincipal() instanceof UserDetails) { return ((UserDetails) auth.getPrincipal()).getUsername(); } + if (auth.getPrincipal() instanceof AuthenticatedPrincipal) { + return ((AuthenticatedPrincipal) auth.getPrincipal()).getName(); + } return auth.getPrincipal().toString(); } diff --git a/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapperTests.java b/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapperTests.java index f7df38e78bb..7fd00fc44df 100644 --- a/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapperTests.java +++ b/web/src/test/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestWrapperTests.java @@ -21,12 +21,17 @@ import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.security.authentication.TestingAuthenticationToken; +import org.springframework.security.core.AuthenticatedPrincipal; import org.springframework.security.core.Authentication; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.User; import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.BDDMockito.given; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; /** * Tests {@link SecurityContextHolderAwareRequestWrapper}. @@ -130,4 +135,18 @@ public void testRolePrefixNotAppliedIfRoleStartsWith() { assertThat(wrapper.isUserInRole("ROLE_FOOBAR")).isTrue(); } + @Test + public void testGetRemoteUserStringWithAuthenticatedPrinciple() { + String username = "authPrincipleUsername"; + AuthenticatedPrincipal principal = mock(AuthenticatedPrincipal.class); + given(principal.getName()).willReturn(username); + Authentication auth = new TestingAuthenticationToken(principal, "user"); + SecurityContextHolder.getContext().setAuthentication(auth); + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setRequestURI("/"); + SecurityContextHolderAwareRequestWrapper wrapper = new SecurityContextHolderAwareRequestWrapper(request, ""); + assertThat(wrapper.getRemoteUser()).isEqualTo(username); + verify(principal, times(1)).getName(); + } + }