mirror of
https://github.com/spring-projects/spring-boot.git
synced 2024-09-03 04:26:12 +08:00
Tolerate AuthenticationSwitchUserEvent with null target user
When Spring Security is misconfigured it's possible to switch from an anonymous user to a normal user. When switching back again, the corresponding AuthenticationSwitchUserEvent will have a null target user. Previously, Actuator's AuthenticationAuditListener would throw a NullPointerException when it received such an event. This commit updates the audit listener to defensively handled events with a null target user. Closes gh-15767
This commit is contained in:
parent
a74717307f
commit
8e6b4629d4
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2012-2017 the original author or authors.
|
||||
* Copyright 2012-2019 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -103,7 +103,9 @@ public class AuthenticationAuditListener extends AbstractAuthenticationAuditList
|
||||
if (event.getAuthentication().getDetails() != null) {
|
||||
data.put("details", event.getAuthentication().getDetails());
|
||||
}
|
||||
data.put("target", event.getTargetUser().getUsername());
|
||||
if (event.getTargetUser() != null) {
|
||||
data.put("target", event.getTargetUser().getUsername());
|
||||
}
|
||||
listener.publish(new AuditEvent(event.getAuthentication().getName(),
|
||||
AUTHENTICATION_SWITCH, data));
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2012-2018 the original author or authors.
|
||||
* Copyright 2012-2019 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -92,6 +92,16 @@ public class AuthenticationAuditListenerTests {
|
||||
.isEqualTo(AuthenticationAuditListener.AUTHENTICATION_SWITCH);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAuthenticationSwitchBackToAnonymous() {
|
||||
AuditApplicationEvent event = handleAuthenticationEvent(
|
||||
new AuthenticationSwitchUserEvent(
|
||||
new UsernamePasswordAuthenticationToken("user", "password"),
|
||||
null));
|
||||
assertThat(event.getAuditEvent().getType())
|
||||
.isEqualTo(AuthenticationAuditListener.AUTHENTICATION_SWITCH);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testDetailsAreIncludedInAuditEvent() {
|
||||
Object details = new Object();
|
||||
|
Loading…
Reference in New Issue
Block a user