search

SAP / cloud-security-services-integration-library

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.
Apache License 2.0
151 stars 136 forks source link

UserInfo is set as Principle but does not satisfy Spring "Spec" #9

Closed nenaraab closed 5 years ago

nenaraab commented 5 years ago

Problem

UserInfo is set as Principle by the UserInfoAuthenticationToken, which implements org.springframework.security.core.Authentication.

The Spring framework often calls SecurityContextHolder.getContext().getAuthentication().getPrincipal() and expects either a Principal of type org.springframework.security.core.userdetails.UserDetails or expects (more implicitly) that the toString() method is implemented in such way, that it returns a (unique) userName...

The simplest fix would be to let the UserInfo in the commons lib override the toString() method:

/** 
* As principle it should return a unique user name as required by Spring Security.
@Override
public String toString() {
   return getLogonName();
}

Note: This was also an incompatible change to SAPUserDetails, which was provided with the sap internal library security-commons version 0.31.0.

nenaraab commented 5 years ago

@mwdb Unfortunately your pull request does not fix the issue. It must be sth, that can be used as database entry for the Spring ACL tables, e.g. getLogonName().

nenaraab commented 5 years ago

merged into develop branch

nenaraab commented 5 years ago

see https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/token/Token.java implements now org.springframework.security.core.userdetails.UserDetails