SEC-1586: RemoteAuthenticationException is not catch by spring security filter #1825
Comments
|
Per Holmberg said: As a work-around, you can create and use this bean class: public class FixedRemoteAuthenticationProvider extends RemoteAuthenticationProvider {
public Authentication authenticate(Authentication auth) {
try {
return super.authenticate(auth);
} catch (RemoteAuthenticationException rae) {
throw new AuthenticationException(rae.getMessage(), rae) { };
}
}
} |
spring-projects-issues
added
Open
type: enhancement
rwinch
added
status: first-timers-only
|
This issue is ideal for contributions. The solution would modify |
|
@rwinch can I work on this ? |
|
Since serialization-based remoting is deprecated, maybe this should be deprecated too? |
|
@holmis83 thanks for bringing this up. To be clear, are you referring to spring-projects/spring-framework#25379 or something else? |
@jzheaux Yes, RemoteAuthenticationManager is (was?) typically used in conjunction with |
|
@SeifMostafa You are right. What's more is that for 6.x RMI support was removed. See gh-10366 |
rwinch
added
status: invalid
Ludovic Praud (Migrated from SEC-1586) said:
When using remote authentication over RMI, I use RemoteAuthenticationManagerImpl class which translate AuthenticationException into RemoteAuthenticationException. When the exception come back to client layer, spring security filter does not catch it because it is not of AuthenticationException type. This is not very useful because I'd expect spring security filter to handle this transparently. But right known I need to translate this exception myself. It would be cool to provide such translation on the client side implementation of RemoteAuthenticationProvider.
The text was updated successfully, but these errors were encountered: