[Security] [Bug] AuthenticationManager is never run by AnonymousAuthenticationListener #10651
Labels
Comments
|
If we don'r add this fixed all Anonymous tokens are shared between firewalls because token is not authenticated, so whether we should remove key from AnonymousToken or add this fix and verify token. |
fabpot
added a commit
that referenced
this issue
Sep 25, 2014
…enticationListener (Kacper Gunia) This PR was merged into the 2.6-dev branch. Discussion ---------- [Security] Call AuthenticationManager in AnonymousAuthenticationListener | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | yes | Deprecations? | no | Tests pass? | yes | Fixed tickets | #10651 | License | MIT | Doc PR | - Commits ------- 78fa5e2 Call AuthenticationManager in AnonymousAuthenticationListener
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
AnonymousAuthenticationProvidercontainsauthenticatemethod that verifies wether populated AnonymousToken has the same key as current firewall, which is correct but never run.To fix that we need in method
AnonymousAuthenticationListener::handleadd call toAuthenticationManager::authenticateand catch Exception that method may throw.I've got a fix already and could send a PR if you think that's the right approach.
The text was updated successfully, but these errors were encountered: