[Geoserver-devel] [JIRA] (GEOS-11036) The OAuth2*/OIDC security filters do not work as expected anymore after the spring-security-core depencency update to 5.7.8

Alessio Fabiani created an issue

GeoServer / BugGEOS-11036

The OAuth2*/OIDC security filters do not work as expected anymore after the spring-security-core depencency update to 5.7.8

Issue Type:

BugBug

Assignee:

Unassigned

Created:

19/Jun/23 2:56 PM

Priority:

MediumMedium

Reporter:

Alessio Fabiani

Recenty the sprinc-security-core dependency on GeoServer has been upgraded due to a security fix as per https://github.com/geoserver/geoserver/pull/6830

The upgrade introduced some issues into the Oauth2 security filter logic mainly due to the anonymous session token, which now is correctly valorized.

The filter assumes that an anoymous user is always associated to a null security context authority, which is wrong. Now an anonymous user will be associated to an AnonymousAuthortyToken, which will be also recognized by the spring-oauth2 plugin in order to perform additional checks on the oauth2 resources.

A simple change into the logic checks can allow us to easily fix this behavior and benefit of the new spring security core improvement.

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100227-sha1:8ffa416)

Atlassian logo