diff --git a/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java b/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java index 2352887b1f7..a122eb6c585 100644 --- a/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java +++ b/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java @@ -246,7 +246,8 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ this.logger.debug("Failed to obtain an artifact (cas ticket)"); password = ""; } - UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); + UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated(username, + password); authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request)); return this.getAuthenticationManager().authenticate(authRequest); } diff --git a/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java b/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java index 242d32a730d..b469d73af51 100644 --- a/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java +++ b/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java @@ -87,8 +87,8 @@ public void statefulAuthenticationIsSuccessful() throws Exception { cap.setServiceProperties(makeServiceProperties()); cap.setTicketValidator(new MockTicketValidator(true)); cap.afterPropertiesSet(); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken( - CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER, "ST-123"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken + .unauthenticated(CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER, "ST-123"); token.setDetails("details"); Authentication result = cap.authenticate(token); // Confirm ST-123 was NOT added to the cache @@ -120,8 +120,8 @@ public void statelessAuthenticationIsSuccessful() throws Exception { cap.setTicketValidator(new MockTicketValidator(true)); cap.setServiceProperties(makeServiceProperties()); cap.afterPropertiesSet(); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken( - CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER, "ST-456"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken + .unauthenticated(CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER, "ST-456"); token.setDetails("details"); Authentication result = cap.authenticate(token); // Confirm ST-456 was added to the cache @@ -157,8 +157,8 @@ public void authenticateAllNullService() throws Exception { cap.setServiceProperties(serviceProperties); cap.afterPropertiesSet(); String ticket = "ST-456"; - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken( - CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER, ticket); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken + .unauthenticated(CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER, ticket); Authentication result = cap.authenticate(token); } @@ -178,8 +178,8 @@ public void authenticateAllAuthenticationIsSuccessful() throws Exception { cap.setServiceProperties(serviceProperties); cap.afterPropertiesSet(); String ticket = "ST-456"; - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken( - CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER, ticket); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken + .unauthenticated(CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER, ticket); Authentication result = cap.authenticate(token); verify(validator).validate(ticket, serviceProperties.getService()); serviceProperties.setAuthenticateAllArtifacts(true); @@ -211,8 +211,8 @@ public void missingTicketIdIsDetected() throws Exception { cap.setTicketValidator(new MockTicketValidator(true)); cap.setServiceProperties(makeServiceProperties()); cap.afterPropertiesSet(); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken( - CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER, ""); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken + .unauthenticated(CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER, ""); assertThatExceptionOfType(BadCredentialsException.class).isThrownBy(() -> cap.authenticate(token)); } @@ -314,8 +314,8 @@ public void ignoresUsernamePasswordAuthenticationTokensWithoutCasIdentifiersAsPr cap.setTicketValidator(new MockTicketValidator(true)); cap.setServiceProperties(makeServiceProperties()); cap.afterPropertiesSet(); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("some_normal_user", - "password", AuthorityUtils.createAuthorityList("ROLE_A")); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken + .authenticated("some_normal_user", "password", AuthorityUtils.createAuthorityList("ROLE_A")); assertThat(cap.authenticate(token)).isNull(); } diff --git a/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationTokenTests.java b/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationTokenTests.java index 8ac076830be..364240a3a9a 100644 --- a/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationTokenTests.java +++ b/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationTokenTests.java @@ -121,8 +121,8 @@ public void testNotEqualsDueToDifferentAuthenticationClass() { final Assertion assertion = new AssertionImpl("test"); CasAuthenticationToken token1 = new CasAuthenticationToken("key", makeUserDetails(), "Password", this.ROLES, makeUserDetails(), assertion); - UsernamePasswordAuthenticationToken token2 = new UsernamePasswordAuthenticationToken("Test", "Password", - this.ROLES); + UsernamePasswordAuthenticationToken token2 = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", this.ROLES); assertThat(!token1.equals(token2)).isTrue(); } diff --git a/config/src/integration-test/java/org/springframework/security/config/ldap/LdapProviderBeanDefinitionParserTests.java b/config/src/integration-test/java/org/springframework/security/config/ldap/LdapProviderBeanDefinitionParserTests.java index 43b29094777..d3b0f5c20c5 100644 --- a/config/src/integration-test/java/org/springframework/security/config/ldap/LdapProviderBeanDefinitionParserTests.java +++ b/config/src/integration-test/java/org/springframework/security/config/ldap/LdapProviderBeanDefinitionParserTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -56,7 +56,7 @@ public void simpleProviderAuthenticatesCorrectly() { AuthenticationManager authenticationManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER, AuthenticationManager.class); Authentication auth = authenticationManager - .authenticate(new UsernamePasswordAuthenticationToken("ben", "benspassword")); + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("ben", "benspassword")); UserDetails ben = (UserDetails) auth.getPrincipal(); assertThat(ben.getAuthorities()).hasSize(3); } @@ -89,7 +89,7 @@ public void supportsPasswordComparisonAuthentication() { AuthenticationManager authenticationManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER, AuthenticationManager.class); Authentication auth = authenticationManager - .authenticate(new UsernamePasswordAuthenticationToken("ben", "benspassword")); + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("ben", "benspassword")); assertThat(auth).isNotNull(); } @@ -104,7 +104,8 @@ public void supportsPasswordComparisonAuthenticationWithPasswordEncoder() { AuthenticationManager authenticationManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER, AuthenticationManager.class); - Authentication auth = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("ben", "ben")); + Authentication auth = authenticationManager + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("ben", "ben")); assertThat(auth).isNotNull(); } @@ -121,7 +122,7 @@ public void supportsCryptoPasswordEncoder() { AuthenticationManager authenticationManager = this.appCtx.getBean(BeanIds.AUTHENTICATION_MANAGER, AuthenticationManager.class); Authentication auth = authenticationManager - .authenticate(new UsernamePasswordAuthenticationToken("bcrypt", "password")); + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("bcrypt", "password")); assertThat(auth).isNotNull(); } diff --git a/config/src/test/java/org/springframework/security/config/annotation/authentication/AuthenticationManagerBuilderTests.java b/config/src/test/java/org/springframework/security/config/annotation/authentication/AuthenticationManagerBuilderTests.java index ddf6c5d9301..1565ea5c90b 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/authentication/AuthenticationManagerBuilderTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/authentication/AuthenticationManagerBuilderTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -93,8 +93,8 @@ public void customAuthenticationEventPublisherWithWeb() throws Exception { given(opp.postProcess(any())).willAnswer((a) -> a.getArgument(0)); AuthenticationManager am = new AuthenticationManagerBuilder(opp).authenticationEventPublisher(aep) .inMemoryAuthentication().and().build(); - assertThatExceptionOfType(AuthenticationException.class) - .isThrownBy(() -> am.authenticate(new UsernamePasswordAuthenticationToken("user", "password"))); + assertThatExceptionOfType(AuthenticationException.class).isThrownBy( + () -> am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"))); verify(aep).publishAuthenticationFailure(any(), any()); } @@ -103,7 +103,8 @@ public void getAuthenticationManagerWhenGlobalPasswordEncoderBeanThenUsed() thro this.spring.register(PasswordEncoderGlobalConfig.class).autowire(); AuthenticationManager manager = this.spring.getContext().getBean(AuthenticationConfiguration.class) .getAuthenticationManager(); - Authentication auth = manager.authenticate(new UsernamePasswordAuthenticationToken("user", "password")); + Authentication auth = manager + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password")); assertThat(auth.getName()).isEqualTo("user"); assertThat(auth.getAuthorities()).extracting(GrantedAuthority::getAuthority).containsOnly("ROLE_USER"); } @@ -113,7 +114,8 @@ public void getAuthenticationManagerWhenProtectedPasswordEncoderBeanThenUsed() t this.spring.register(PasswordEncoderGlobalConfig.class).autowire(); AuthenticationManager manager = this.spring.getContext().getBean(AuthenticationConfiguration.class) .getAuthenticationManager(); - Authentication auth = manager.authenticate(new UsernamePasswordAuthenticationToken("user", "password")); + Authentication auth = manager + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password")); assertThat(auth.getName()).isEqualTo("user"); assertThat(auth.getAuthorities()).extracting(GrantedAuthority::getAuthority).containsOnly("ROLE_USER"); } diff --git a/config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationPublishTests.java b/config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationPublishTests.java index c313502b369..fc0931cf96a 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationPublishTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationPublishTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -47,7 +47,8 @@ public class AuthenticationConfigurationPublishTests { // gh-4940 @Test public void authenticationEventPublisherBeanUsedByDefault() { - this.authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("user", "password")); + this.authenticationManager + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password")); assertThat(this.listener.getEvents()).hasSize(1); } diff --git a/config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.java index 412768d1241..243bb0284e6 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfigurationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -129,7 +129,8 @@ public void getAuthenticationManagerWhenNoOpGlobalAuthenticationConfigurerAdapte @Test public void getAuthenticationWhenGlobalAuthenticationConfigurerAdapterThenAuthenticates() throws Exception { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("user", + "password"); this.spring.register(AuthenticationConfiguration.class, ObjectPostProcessorConfiguration.class, UserGlobalAuthenticationConfigurerAdapter.class).autowire(); AuthenticationManager authentication = this.spring.getContext().getBean(AuthenticationConfiguration.class) @@ -139,7 +140,8 @@ public void getAuthenticationWhenGlobalAuthenticationConfigurerAdapterThenAuthen @Test public void getAuthenticationWhenAuthenticationManagerBeanThenAuthenticates() throws Exception { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("user", + "password"); this.spring.register(AuthenticationConfiguration.class, ObjectPostProcessorConfiguration.class, AuthenticationManagerBeanConfig.class).autowire(); AuthenticationManager authentication = this.spring.getContext().getBean(AuthenticationConfiguration.class) @@ -165,9 +167,9 @@ public void getAuthenticationWhenConfiguredThenBootNotTrigger() throws Exception config.setGlobalAuthenticationConfigurers(Arrays.asList(new ConfiguresInMemoryConfigurerAdapter(), new BootGlobalAuthenticationConfigurerAdapter())); AuthenticationManager authenticationManager = config.getAuthenticationManager(); - authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("user", "password")); - assertThatExceptionOfType(AuthenticationException.class).isThrownBy( - () -> authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("boot", "password"))); + authenticationManager.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password")); + assertThatExceptionOfType(AuthenticationException.class).isThrownBy(() -> authenticationManager + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("boot", "password"))); } @Test @@ -176,7 +178,7 @@ public void getAuthenticationWhenNotConfiguredThenBootTrigger() throws Exception AuthenticationConfiguration config = this.spring.getContext().getBean(AuthenticationConfiguration.class); config.setGlobalAuthenticationConfigurers(Arrays.asList(new BootGlobalAuthenticationConfigurerAdapter())); AuthenticationManager authenticationManager = config.getAuthenticationManager(); - authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("boot", "password")); + authenticationManager.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("boot", "password")); } // gh-2531 @@ -206,9 +208,9 @@ public void getAuthenticationWhenUserDetailsServiceBeanThenAuthenticationManager AuthenticationManager am = this.spring.getContext().getBean(AuthenticationConfiguration.class) .getAuthenticationManager(); given(uds.loadUserByUsername("user")).willReturn(PasswordEncodedUser.user(), PasswordEncodedUser.user()); - am.authenticate(new UsernamePasswordAuthenticationToken("user", "password")); - assertThatExceptionOfType(AuthenticationException.class) - .isThrownBy(() -> am.authenticate(new UsernamePasswordAuthenticationToken("user", "invalid"))); + am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password")); + assertThatExceptionOfType(AuthenticationException.class).isThrownBy( + () -> am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "invalid"))); } @Test @@ -221,9 +223,9 @@ public void getAuthenticationWhenUserDetailsServiceAndPasswordEncoderBeanThenEnc .getAuthenticationManager(); given(uds.loadUserByUsername("user")).willReturn(User.withUserDetails(user).build(), User.withUserDetails(user).build()); - am.authenticate(new UsernamePasswordAuthenticationToken("user", "password")); - assertThatExceptionOfType(AuthenticationException.class) - .isThrownBy(() -> am.authenticate(new UsernamePasswordAuthenticationToken("user", "invalid"))); + am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password")); + assertThatExceptionOfType(AuthenticationException.class).isThrownBy( + () -> am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "invalid"))); } @Test @@ -237,7 +239,7 @@ public void getAuthenticationWhenUserDetailsServiceAndPasswordManagerThenManager given(manager.loadUserByUsername("user")).willReturn(User.withUserDetails(user).build(), User.withUserDetails(user).build()); given(manager.updatePassword(any(), any())).willReturn(user); - am.authenticate(new UsernamePasswordAuthenticationToken("user", "password")); + am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password")); verify(manager).updatePassword(eq(user), startsWith("{bcrypt}")); } @@ -250,7 +252,7 @@ public void getAuthenticationWhenAuthenticationProviderAndUserDetailsBeanThenAut .getAuthenticationManager(); given(ap.supports(any())).willReturn(true); given(ap.authenticate(any())).willReturn(TestAuthentication.authenticatedUser()); - am.authenticate(new UsernamePasswordAuthenticationToken("user", "password")); + am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password")); } // gh-3091 @@ -262,7 +264,7 @@ public void getAuthenticationWhenAuthenticationProviderBeanThenUsed() throws Exc .getAuthenticationManager(); given(ap.supports(any())).willReturn(true); given(ap.authenticate(any())).willReturn(TestAuthentication.authenticatedUser()); - am.authenticate(new UsernamePasswordAuthenticationToken("user", "password")); + am.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password")); } @Test diff --git a/config/src/test/java/org/springframework/security/config/annotation/issue50/Issue50Tests.java b/config/src/test/java/org/springframework/security/config/annotation/issue50/Issue50Tests.java index 6de1764992b..668f45f2128 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/issue50/Issue50Tests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/issue50/Issue50Tests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -75,21 +75,21 @@ public void loadWhenGlobalMethodSecurityConfigurationThenAuthenticationManagerLa @Test public void authenticateWhenMissingUserThenUsernameNotFoundException() { assertThatExceptionOfType(UsernameNotFoundException.class).isThrownBy(() -> this.authenticationManager - .authenticate(new UsernamePasswordAuthenticationToken("test", "password"))); + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("test", "password"))); } @Test public void authenticateWhenInvalidPasswordThenBadCredentialsException() { this.userRepo.save(User.withUsernameAndPassword("test", "password")); assertThatExceptionOfType(BadCredentialsException.class).isThrownBy(() -> this.authenticationManager - .authenticate(new UsernamePasswordAuthenticationToken("test", "invalid"))); + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("test", "invalid"))); } @Test public void authenticateWhenValidUserThenAuthenticates() { this.userRepo.save(User.withUsernameAndPassword("test", "password")); Authentication result = this.authenticationManager - .authenticate(new UsernamePasswordAuthenticationToken("test", "password")); + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("test", "password")); assertThat(result.getName()).isEqualTo("test"); } @@ -98,7 +98,7 @@ public void globalMethodSecurityIsEnabledWhenNotAllowedThenAccessDenied() { SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("test", null, "ROLE_USER")); this.userRepo.save(User.withUsernameAndPassword("denied", "password")); assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> this.authenticationManager - .authenticate(new UsernamePasswordAuthenticationToken("test", "password"))); + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("test", "password"))); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java index 2a0ae08bbe2..b7f0a2cf85f 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -106,8 +106,8 @@ public void configureWhenGlobalMethodSecurityHasCustomMetadataSourceThenNoEnabli @Test public void methodSecurityAuthenticationManagerPublishesEvent() { this.spring.register(InMemoryAuthWithGlobalMethodSecurityConfig.class).autowire(); - assertThatExceptionOfType(AuthenticationException.class).isThrownBy( - () -> this.authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("foo", "bar"))); + assertThatExceptionOfType(AuthenticationException.class).isThrownBy(() -> this.authenticationManager + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("foo", "bar"))); assertThat(this.events.getEvents()).extracting(Object::getClass) .containsOnly((Class) AuthenticationFailureBadCredentialsEvent.class); } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/AuthenticationPrincipalArgumentResolverTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/AuthenticationPrincipalArgumentResolverTests.java index 0899165c924..2272e476df1 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/AuthenticationPrincipalArgumentResolverTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/AuthenticationPrincipalArgumentResolverTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -65,7 +65,7 @@ public void authenticationPrincipalExpressionWhenBeanExpressionSuppliedThenBeanU User user = new User("user", "password", AuthorityUtils.createAuthorityList("ROLE_USER")); SecurityContext context = SecurityContextHolder.createEmptyContext(); context.setAuthentication( - new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities())); + UsernamePasswordAuthenticationToken.authenticated(user, user.getPassword(), user.getAuthorities())); SecurityContextHolder.setContext(context); MockMvc mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build(); // @formatter:off diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.java index dd05d35cc08..0f50a172faf 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/EnableWebSecurityTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -60,7 +60,7 @@ public void configureWhenOverrideAuthenticationManagerBeanThenAuthenticationMana this.spring.register(SecurityConfig.class).autowire(); AuthenticationManager authenticationManager = this.spring.getContext().getBean(AuthenticationManager.class); Authentication authentication = authenticationManager - .authenticate(new UsernamePasswordAuthenticationToken("user", "password")); + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password")); assertThat(authentication.isAuthenticated()).isTrue(); } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java index c6dfde38af5..1f0b876d272 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -1013,7 +1013,7 @@ static AuthenticationManager authenticationManager1() { return new ProviderManager(new AuthenticationProvider() { @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { - return new UsernamePasswordAuthenticationToken("user", "credentials"); + return UsernamePasswordAuthenticationToken.unauthenticated("user", "credentials"); } @Override @@ -1028,7 +1028,7 @@ static AuthenticationManager authenticationManager2() { return new ProviderManager(new AuthenticationProvider() { @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { - return new UsernamePasswordAuthenticationToken("subuser", "credentials"); + return UsernamePasswordAuthenticationToken.unauthenticated("subuser", "credentials"); } @Override diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java index cc8c9dc8856..2fffb4f2a3f 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeRequestsTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -150,7 +150,7 @@ public void antMatchersPathVariablesCaseInsensitiveCamelCaseVariables() throws E public void roleHiearchy() throws Exception { loadConfig(RoleHiearchyConfig.class); SecurityContext securityContext = new SecurityContextImpl(); - securityContext.setAuthentication(new UsernamePasswordAuthenticationToken("test", "notused", + securityContext.setAuthentication(UsernamePasswordAuthenticationToken.authenticated("test", "notused", AuthorityUtils.createAuthorityList("ROLE_USER"))); this.request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, securityContext); diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpInterceptUrlTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpInterceptUrlTests.java index 6f5c5aec5d6..4301210456e 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpInterceptUrlTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpInterceptUrlTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -100,7 +100,8 @@ public void requestWhenRequiresChannelThenBehaviorMatchesNamespace() throws Exce } private static Authentication user(String role) { - return new UsernamePasswordAuthenticationToken("user", null, AuthorityUtils.createAuthorityList(role)); + return UsernamePasswordAuthenticationToken.authenticated("user", null, + AuthorityUtils.createAuthorityList(role)); } @EnableWebSecurity diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java index 7e2cfa0e413..3801a10ed90 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -97,7 +97,7 @@ public void requestWhenCustomAccessDeniedHandlerInLambdaThenBehaviorMatchesNames } private static Authentication user() { - return new UsernamePasswordAuthenticationToken("user", null, AuthorityUtils.NO_AUTHORITIES); + return UsernamePasswordAuthenticationToken.authenticated("user", null, AuthorityUtils.NO_AUTHORITIES); } private T verifyBean(Class beanClass) { diff --git a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationConfigurationGh3935Tests.java b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationConfigurationGh3935Tests.java index 6d5c0d50d75..5f71fabd981 100644 --- a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationConfigurationGh3935Tests.java +++ b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationConfigurationGh3935Tests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2016 the original author or authors. + * Copyright 2012-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -72,7 +72,7 @@ public void delegateUsesExisitingAuthentication() { AuthenticationManager authenticationManager = this.adapter.authenticationManager; assertThat(authenticationManager).isNotNull(); Authentication auth = authenticationManager - .authenticate(new UsernamePasswordAuthenticationToken(username, password)); + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated(username, password)); verify(this.uds).loadUserByUsername(username); assertThat(auth.getPrincipal()).isEqualTo(PasswordEncodedUser.user()); } diff --git a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java index df39c4b8b32..0d16101f622 100644 --- a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationManagerBeanDefinitionParserTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -98,7 +98,7 @@ public void eventsArePublishedByDefault() throws Exception { Object eventPublisher = FieldUtils.getFieldValue(pm, "eventPublisher"); assertThat(eventPublisher).isNotNull(); assertThat(eventPublisher instanceof DefaultAuthenticationEventPublisher).isTrue(); - pm.authenticate(new UsernamePasswordAuthenticationToken("bob", "bobspassword")); + pm.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("bob", "bobspassword")); assertThat(listener.events).hasSize(1); } diff --git a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java index b32069216dc..eccb380c6b4 100644 --- a/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/authentication/AuthenticationProviderBeanDefinitionParserTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -42,7 +42,8 @@ public class AuthenticationProviderBeanDefinitionParserTests { private AbstractXmlApplicationContext appContext; - private UsernamePasswordAuthenticationToken bob = new UsernamePasswordAuthenticationToken("bob", "bobspassword"); + private UsernamePasswordAuthenticationToken bob = UsernamePasswordAuthenticationToken.unauthenticated("bob", + "bobspassword"); @AfterEach public void closeAppContext() { diff --git a/config/src/test/java/org/springframework/security/config/authentication/JdbcUserServiceBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/authentication/JdbcUserServiceBeanDefinitionParserTests.java index 75ae43bebfe..6cd758bbc2d 100644 --- a/config/src/test/java/org/springframework/security/config/authentication/JdbcUserServiceBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/authentication/JdbcUserServiceBeanDefinitionParserTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -129,7 +129,7 @@ public void isSupportedByAuthenticationProviderElement() { + DATA_SOURCE); // @formatter:on AuthenticationManager mgr = (AuthenticationManager) this.appContext.getBean(BeanIds.AUTHENTICATION_MANAGER); - mgr.authenticate(new UsernamePasswordAuthenticationToken("rod", "koala")); + mgr.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("rod", "koala")); } @Test @@ -146,7 +146,7 @@ public void cacheIsInjectedIntoAuthenticationProvider() { ProviderManager mgr = (ProviderManager) this.appContext.getBean(BeanIds.AUTHENTICATION_MANAGER); DaoAuthenticationProvider provider = (DaoAuthenticationProvider) mgr.getProviders().get(0); assertThat(this.appContext.getBean("userCache")).isSameAs(provider.getUserCache()); - provider.authenticate(new UsernamePasswordAuthenticationToken("rod", "koala")); + provider.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("rod", "koala")); assertThat(provider.getUserCache().getUserFromCache("rod")).isNotNull() .withFailMessage("Cache should contain user after authentication"); } diff --git a/config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java index c4d08dc5295..affbe760ab7 100644 --- a/config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -67,7 +67,7 @@ */ public class GlobalMethodSecurityBeanDefinitionParserTests { - private final UsernamePasswordAuthenticationToken bob = new UsernamePasswordAuthenticationToken("bob", + private final UsernamePasswordAuthenticationToken bob = UsernamePasswordAuthenticationToken.unauthenticated("bob", "bobspassword"); private AbstractXmlApplicationContext appContext; @@ -106,7 +106,8 @@ public void targetShouldPreventProtectedMethodInvocationWithNoContext() { @Test public void targetShouldAllowProtectedMethodInvocationWithCorrectRole() { loadContext(); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("user", + "password"); SecurityContextHolder.getContext().setAuthentication(token); this.target.someUserMethod1(); // SEC-1213. Check the order @@ -153,8 +154,8 @@ public void worksWithAspectJAutoproxy() { + ""); // @formatter:on UserDetailsService service = (UserDetailsService) this.appContext.getBean("myUserService"); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password", - AuthorityUtils.createAuthorityList("ROLE_SOMEOTHERROLE")); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.createAuthorityList("ROLE_SOMEOTHERROLE")); SecurityContextHolder.getContext().setAuthentication(token); assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> service.loadUserByUsername("notused")); } @@ -170,7 +171,7 @@ public void supportsMethodArgumentsInPointcut() { + ConfigTestUtils.AUTH_PROVIDER_XML); // @formatter:on SecurityContextHolder.getContext() - .setAuthentication(new UsernamePasswordAuthenticationToken("user", "password")); + .setAuthentication(UsernamePasswordAuthenticationToken.unauthenticated("user", "password")); this.target = (BusinessService) this.appContext.getBean("target"); // someOther(int) should not be matched by someOther(String), but should require // ROLE_USER @@ -198,7 +199,7 @@ public void supportsBooleanPointcutExpressions() { assertThatExceptionOfType(AuthenticationCredentialsNotFoundException.class) .isThrownBy(() -> this.target.someOther(0)); SecurityContextHolder.getContext() - .setAuthentication(new UsernamePasswordAuthenticationToken("user", "password")); + .setAuthentication(UsernamePasswordAuthenticationToken.unauthenticated("user", "password")); this.target.someOther(0); } @@ -219,8 +220,8 @@ public void worksWithoutTargetOrClass() { + "" + ConfigTestUtils.AUTH_PROVIDER_XML); // @formatter:on - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password", - AuthorityUtils.createAuthorityList("ROLE_SOMEOTHERROLE")); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.createAuthorityList("ROLE_SOMEOTHERROLE")); SecurityContextHolder.getContext().setAuthentication(token); this.target = (BusinessService) this.appContext.getBean("businessService"); assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(this.target::someUserMethod1); @@ -384,7 +385,7 @@ public void supportsExternalMetadataSource() { Foo foo = (Foo) this.appContext.getBean("target"); assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> foo.foo(new SecurityConfig("A"))); SecurityContextHolder.getContext() - .setAuthentication(new UsernamePasswordAuthenticationToken("admin", "password")); + .setAuthentication(UsernamePasswordAuthenticationToken.unauthenticated("admin", "password")); foo.foo(new SecurityConfig("A")); } @@ -405,7 +406,7 @@ public void supportsCustomAuthenticationManager() { Foo foo = (Foo) this.appContext.getBean("target"); assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> foo.foo(new SecurityConfig("A"))); SecurityContextHolder.getContext() - .setAuthentication(new UsernamePasswordAuthenticationToken("admin", "password")); + .setAuthentication(UsernamePasswordAuthenticationToken.unauthenticated("admin", "password")); foo.foo(new SecurityConfig("A")); } diff --git a/config/src/test/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecoratorTests.java b/config/src/test/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecoratorTests.java index 15e375b6183..e7dd9331005 100644 --- a/config/src/test/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecoratorTests.java +++ b/config/src/test/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecoratorTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -91,16 +91,16 @@ public void targetShouldPreventProtectedMethodInvocationWithNoContext() { @Test public void targetShouldAllowProtectedMethodInvocationWithCorrectRole() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password", - AuthorityUtils.createAuthorityList("ROLE_USER")); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.createAuthorityList("ROLE_USER")); SecurityContextHolder.getContext().setAuthentication(token); this.target.doSomething(); } @Test public void targetShouldPreventProtectedMethodInvocationWithIncorrectRole() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password", - AuthorityUtils.createAuthorityList("ROLE_SOMEOTHERROLE")); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.createAuthorityList("ROLE_SOMEOTHERROLE")); SecurityContextHolder.getContext().setAuthentication(token); assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(this.target::doSomething); } diff --git a/config/src/test/java/org/springframework/security/config/method/Jsr250AnnotationDrivenBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/method/Jsr250AnnotationDrivenBeanDefinitionParserTests.java index 0e699b73664..654a01b2f39 100644 --- a/config/src/test/java/org/springframework/security/config/method/Jsr250AnnotationDrivenBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/method/Jsr250AnnotationDrivenBeanDefinitionParserTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -67,32 +67,32 @@ public void targetShouldPreventProtectedMethodInvocationWithNoContext() { @Test public void permitAllShouldBeDefaultAttribute() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password", - AuthorityUtils.createAuthorityList("ROLE_USER")); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.createAuthorityList("ROLE_USER")); SecurityContextHolder.getContext().setAuthentication(token); this.target.someOther(0); } @Test public void targetShouldAllowProtectedMethodInvocationWithCorrectRole() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password", - AuthorityUtils.createAuthorityList("ROLE_USER")); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.createAuthorityList("ROLE_USER")); SecurityContextHolder.getContext().setAuthentication(token); this.target.someUserMethod1(); } @Test public void targetShouldPreventProtectedMethodInvocationWithIncorrectRole() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password", - AuthorityUtils.createAuthorityList("ROLE_SOMEOTHERROLE")); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.createAuthorityList("ROLE_SOMEOTHERROLE")); SecurityContextHolder.getContext().setAuthentication(token); assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(this.target::someAdminMethod); } @Test public void hasAnyRoleAddsDefaultPrefix() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password", - AuthorityUtils.createAuthorityList("ROLE_USER")); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.createAuthorityList("ROLE_USER")); SecurityContextHolder.getContext().setAuthentication(token); this.target.rolesAllowedUser(); } diff --git a/config/src/test/java/org/springframework/security/config/method/MethodSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/method/MethodSecurityBeanDefinitionParserTests.java index c458528f2ef..adcb526a727 100644 --- a/config/src/test/java/org/springframework/security/config/method/MethodSecurityBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/method/MethodSecurityBeanDefinitionParserTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -59,7 +59,7 @@ public class MethodSecurityBeanDefinitionParserTests { private static final String CONFIG_LOCATION_PREFIX = "classpath:org/springframework/security/config/method/MethodSecurityBeanDefinitionParserTests"; - private final UsernamePasswordAuthenticationToken bob = new UsernamePasswordAuthenticationToken("bob", + private final UsernamePasswordAuthenticationToken bob = UsernamePasswordAuthenticationToken.unauthenticated("bob", "bobspassword"); @Autowired(required = false) diff --git a/config/src/test/java/org/springframework/security/config/method/SecuredAnnotationDrivenBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/method/SecuredAnnotationDrivenBeanDefinitionParserTests.java index 4b760367dfe..4995df4369a 100644 --- a/config/src/test/java/org/springframework/security/config/method/SecuredAnnotationDrivenBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/method/SecuredAnnotationDrivenBeanDefinitionParserTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -73,16 +73,16 @@ public void targetShouldPreventProtectedMethodInvocationWithNoContext() { @Test public void targetShouldAllowProtectedMethodInvocationWithCorrectRole() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password", - AuthorityUtils.createAuthorityList("ROLE_USER")); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.createAuthorityList("ROLE_USER")); SecurityContextHolder.getContext().setAuthentication(token); this.target.someUserMethod1(); } @Test public void targetShouldPreventProtectedMethodInvocationWithIncorrectRole() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password", - AuthorityUtils.createAuthorityList("ROLE_SOMEOTHER")); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.createAuthorityList("ROLE_SOMEOTHER")); SecurityContextHolder.getContext().setAuthentication(token); assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(this.target::someAdminMethod); } diff --git a/core/src/main/java/org/springframework/security/authentication/AbstractUserDetailsReactiveAuthenticationManager.java b/core/src/main/java/org/springframework/security/authentication/AbstractUserDetailsReactiveAuthenticationManager.java index d75a2775cd1..5a08efd019c 100644 --- a/core/src/main/java/org/springframework/security/authentication/AbstractUserDetailsReactiveAuthenticationManager.java +++ b/core/src/main/java/org/springframework/security/authentication/AbstractUserDetailsReactiveAuthenticationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -117,7 +117,7 @@ private Mono upgradeEncodingIfNecessary(UserDetails userDetails, St } private UsernamePasswordAuthenticationToken createUsernamePasswordAuthenticationToken(UserDetails userDetails) { - return new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword(), + return UsernamePasswordAuthenticationToken.authenticated(userDetails, userDetails.getPassword(), userDetails.getAuthorities()); } diff --git a/core/src/main/java/org/springframework/security/authentication/UsernamePasswordAuthenticationToken.java b/core/src/main/java/org/springframework/security/authentication/UsernamePasswordAuthenticationToken.java index 55963150a60..be796d04a4c 100644 --- a/core/src/main/java/org/springframework/security/authentication/UsernamePasswordAuthenticationToken.java +++ b/core/src/main/java/org/springframework/security/authentication/UsernamePasswordAuthenticationToken.java @@ -32,6 +32,7 @@ * String. * * @author Ben Alex + * @author Norbert Nowak */ public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationToken { @@ -71,6 +72,33 @@ public UsernamePasswordAuthenticationToken(Object principal, Object credentials, super.setAuthenticated(true); // must use super, as we override } + /** + * This factory method can be safely used by any code that wishes to create a + * unauthenticated UsernamePasswordAuthenticationToken. + * @param principal + * @param credentials + * @return UsernamePasswordAuthenticationToken with false isAuthenticated() result + * + * @since 5.7 + */ + public static UsernamePasswordAuthenticationToken unauthenticated(Object principal, Object credentials) { + return new UsernamePasswordAuthenticationToken(principal, credentials); + } + + /** + * This factory method can be safely used by any code that wishes to create a + * authenticated UsernamePasswordAuthenticationToken. + * @param principal + * @param credentials + * @return UsernamePasswordAuthenticationToken with true isAuthenticated() result + * + * @since 5.7 + */ + public static UsernamePasswordAuthenticationToken authenticated(Object principal, Object credentials, + Collection authorities) { + return new UsernamePasswordAuthenticationToken(principal, credentials, authorities); + } + @Override public Object getCredentials() { return this.credentials; diff --git a/core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java index f85306cdd31..7d5b434d523 100644 --- a/core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java +++ b/core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java @@ -193,7 +193,7 @@ protected Authentication createSuccessAuthentication(Object principal, Authentic // so subsequent attempts are successful even with encoded passwords. // Also ensure we return the original getDetails(), so that future // authentication events after cache expiry contain the details - UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(principal, + UsernamePasswordAuthenticationToken result = UsernamePasswordAuthenticationToken.authenticated(principal, authentication.getCredentials(), this.authoritiesMapper.mapAuthorities(user.getAuthorities())); result.setDetails(authentication.getDetails()); this.logger.debug("Authenticated user"); diff --git a/core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationManagerImpl.java b/core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationManagerImpl.java index 1d32b90ee5c..731ce15f6d0 100644 --- a/core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationManagerImpl.java +++ b/core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationManagerImpl.java @@ -47,7 +47,8 @@ public void afterPropertiesSet() { @Override public Collection attemptAuthentication(String username, String password) throws RemoteAuthenticationException { - UsernamePasswordAuthenticationToken request = new UsernamePasswordAuthenticationToken(username, password); + UsernamePasswordAuthenticationToken request = UsernamePasswordAuthenticationToken.unauthenticated(username, + password); try { return this.authenticationManager.authenticate(request).getAuthorities(); } diff --git a/core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProvider.java index c7164a0b97c..a617b3b60fa 100644 --- a/core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProvider.java +++ b/core/src/main/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProvider.java @@ -68,7 +68,7 @@ public Authentication authenticate(Authentication authentication) throws Authent String password = (credentials != null) ? credentials.toString() : null; Collection authorities = this.remoteAuthenticationManager .attemptAuthentication(username, password); - return new UsernamePasswordAuthenticationToken(username, password, authorities); + return UsernamePasswordAuthenticationToken.authenticated(username, password, authorities); } public RemoteAuthenticationManager getRemoteAuthenticationManager() { diff --git a/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java b/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java index c5d815ad790..aebdf3c827e 100644 --- a/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java +++ b/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 the original author or authors. + * Copyright 2015-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -78,8 +78,8 @@ public UsernamePasswordAuthenticationToken deserialize(JsonParser jp, Deserializ List authorities = mapper.readValue(readJsonNode(jsonNode, "authorities").traverse(mapper), GRANTED_AUTHORITY_LIST); UsernamePasswordAuthenticationToken token = (!authenticated) - ? new UsernamePasswordAuthenticationToken(principal, credentials) - : new UsernamePasswordAuthenticationToken(principal, credentials, authorities); + ? UsernamePasswordAuthenticationToken.unauthenticated(principal, credentials) + : UsernamePasswordAuthenticationToken.authenticated(principal, credentials, authorities); JsonNode detailsNode = readJsonNode(jsonNode, "details"); if (detailsNode.isNull() || detailsNode.isMissingNode()) { token.setDetails(null); diff --git a/core/src/main/java/org/springframework/security/provisioning/InMemoryUserDetailsManager.java b/core/src/main/java/org/springframework/security/provisioning/InMemoryUserDetailsManager.java index c613035a05a..8e7b6b254d5 100644 --- a/core/src/main/java/org/springframework/security/provisioning/InMemoryUserDetailsManager.java +++ b/core/src/main/java/org/springframework/security/provisioning/InMemoryUserDetailsManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -125,7 +125,8 @@ public void changePassword(String oldPassword, String newPassword) { // supplied password. if (this.authenticationManager != null) { this.logger.debug(LogMessage.format("Reauthenticating user '%s' for password change request.", username)); - this.authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, oldPassword)); + this.authenticationManager + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated(username, oldPassword)); } else { this.logger.debug("No authentication manager set. Password won't be re-checked."); diff --git a/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java b/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java index 2cfda0ab06e..264568f49f1 100644 --- a/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java +++ b/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -271,7 +271,8 @@ public void changePassword(String oldPassword, String newPassword) throws Authen // supplied password. if (this.authenticationManager != null) { this.logger.debug(LogMessage.format("Reauthenticating user '%s' for password change request.", username)); - this.authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, oldPassword)); + this.authenticationManager + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated(username, oldPassword)); } else { this.logger.debug("No authentication manager set. Password won't be re-checked."); @@ -287,8 +288,8 @@ public void changePassword(String oldPassword, String newPassword) throws Authen protected Authentication createNewAuthentication(Authentication currentAuth, String newPassword) { UserDetails user = loadUserByUsername(currentAuth.getName()); - UsernamePasswordAuthenticationToken newAuthentication = new UsernamePasswordAuthenticationToken(user, null, - user.getAuthorities()); + UsernamePasswordAuthenticationToken newAuthentication = UsernamePasswordAuthenticationToken.authenticated(user, + null, user.getAuthorities()); newAuthentication.setDetails(currentAuth.getDetails()); return newAuthentication; } diff --git a/core/src/test/java/org/springframework/security/access/AuthorizationFailureEventTests.java b/core/src/test/java/org/springframework/security/access/AuthorizationFailureEventTests.java index fde3f5e7004..cd1c569907f 100644 --- a/core/src/test/java/org/springframework/security/access/AuthorizationFailureEventTests.java +++ b/core/src/test/java/org/springframework/security/access/AuthorizationFailureEventTests.java @@ -34,7 +34,8 @@ */ public class AuthorizationFailureEventTests { - private final UsernamePasswordAuthenticationToken foo = new UsernamePasswordAuthenticationToken("foo", "bar"); + private final UsernamePasswordAuthenticationToken foo = UsernamePasswordAuthenticationToken.unauthenticated("foo", + "bar"); private List attributes = SecurityConfig.createList("TEST"); diff --git a/core/src/test/java/org/springframework/security/access/AuthorizedEventTests.java b/core/src/test/java/org/springframework/security/access/AuthorizedEventTests.java index b55a060eb88..c5655ec2822 100644 --- a/core/src/test/java/org/springframework/security/access/AuthorizedEventTests.java +++ b/core/src/test/java/org/springframework/security/access/AuthorizedEventTests.java @@ -34,13 +34,13 @@ public class AuthorizedEventTests { @Test public void testRejectsNulls() { assertThatIllegalArgumentException().isThrownBy(() -> new AuthorizedEvent(null, - SecurityConfig.createList("TEST"), new UsernamePasswordAuthenticationToken("foo", "bar"))); + SecurityConfig.createList("TEST"), UsernamePasswordAuthenticationToken.unauthenticated("foo", "bar"))); } @Test public void testRejectsNulls2() { assertThatIllegalArgumentException().isThrownBy(() -> new AuthorizedEvent(new SimpleMethodInvocation(), null, - new UsernamePasswordAuthenticationToken("foo", "bar"))); + UsernamePasswordAuthenticationToken.unauthenticated("foo", "bar"))); } @Test diff --git a/core/src/test/java/org/springframework/security/access/intercept/RunAsManagerImplTests.java b/core/src/test/java/org/springframework/security/access/intercept/RunAsManagerImplTests.java index 41eddcd218d..cd877b09cd4 100644 --- a/core/src/test/java/org/springframework/security/access/intercept/RunAsManagerImplTests.java +++ b/core/src/test/java/org/springframework/security/access/intercept/RunAsManagerImplTests.java @@ -44,8 +44,8 @@ public void testAlwaysSupportsClass() { @Test public void testDoesNotReturnAdditionalAuthoritiesIfCalledWithoutARunAsSetting() { - UsernamePasswordAuthenticationToken inputToken = new UsernamePasswordAuthenticationToken("Test", "Password", - AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO")); + UsernamePasswordAuthenticationToken inputToken = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO")); RunAsManagerImpl runAs = new RunAsManagerImpl(); runAs.setKey("my_password"); Authentication resultingToken = runAs.buildRunAs(inputToken, new Object(), @@ -55,8 +55,8 @@ public void testDoesNotReturnAdditionalAuthoritiesIfCalledWithoutARunAsSetting() @Test public void testRespectsRolePrefix() { - UsernamePasswordAuthenticationToken inputToken = new UsernamePasswordAuthenticationToken("Test", "Password", - AuthorityUtils.createAuthorityList("ONE", "TWO")); + UsernamePasswordAuthenticationToken inputToken = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.createAuthorityList("ONE", "TWO")); RunAsManagerImpl runAs = new RunAsManagerImpl(); runAs.setKey("my_password"); runAs.setRolePrefix("FOOBAR_"); @@ -75,8 +75,8 @@ public void testRespectsRolePrefix() { @Test public void testReturnsAdditionalGrantedAuthorities() { - UsernamePasswordAuthenticationToken inputToken = new UsernamePasswordAuthenticationToken("Test", "Password", - AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO")); + UsernamePasswordAuthenticationToken inputToken = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO")); RunAsManagerImpl runAs = new RunAsManagerImpl(); runAs.setKey("my_password"); Authentication result = runAs.buildRunAs(inputToken, new Object(), diff --git a/core/src/test/java/org/springframework/security/access/vote/AuthenticatedVoterTests.java b/core/src/test/java/org/springframework/security/access/vote/AuthenticatedVoterTests.java index 1d2cfa3657f..bff472e3623 100644 --- a/core/src/test/java/org/springframework/security/access/vote/AuthenticatedVoterTests.java +++ b/core/src/test/java/org/springframework/security/access/vote/AuthenticatedVoterTests.java @@ -44,7 +44,7 @@ private Authentication createAnonymous() { } private Authentication createFullyAuthenticated() { - return new UsernamePasswordAuthenticationToken("ignored", "ignored", + return UsernamePasswordAuthenticationToken.authenticated("ignored", "ignored", AuthorityUtils.createAuthorityList("ignored")); } diff --git a/core/src/test/java/org/springframework/security/authentication/ProviderManagerTests.java b/core/src/test/java/org/springframework/security/authentication/ProviderManagerTests.java index e0a1fe336c4..b64dbce4fee 100644 --- a/core/src/test/java/org/springframework/security/authentication/ProviderManagerTests.java +++ b/core/src/test/java/org/springframework/security/authentication/ProviderManagerTests.java @@ -66,12 +66,13 @@ public Object getPrincipal() { @Test public void credentialsAreClearedByDefault() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("Test", + "Password"); ProviderManager mgr = makeProviderManager(); Authentication result = mgr.authenticate(token); assertThat(result.getCredentials()).isNull(); mgr.setEraseCredentialsAfterAuthentication(false); - token = new UsernamePasswordAuthenticationToken("Test", "Password"); + token = UsernamePasswordAuthenticationToken.unauthenticated("Test", "Password"); result = mgr.authenticate(token); assertThat(result.getCredentials()).isNotNull(); } diff --git a/core/src/test/java/org/springframework/security/authentication/ReactiveUserDetailsServiceAuthenticationManagerTests.java b/core/src/test/java/org/springframework/security/authentication/ReactiveUserDetailsServiceAuthenticationManagerTests.java index eabd9256c52..cca23a0dae5 100644 --- a/core/src/test/java/org/springframework/security/authentication/ReactiveUserDetailsServiceAuthenticationManagerTests.java +++ b/core/src/test/java/org/springframework/security/authentication/ReactiveUserDetailsServiceAuthenticationManagerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -72,7 +72,7 @@ public void constructorNullUserDetailsService() { @Test public void authenticateWhenUserNotFoundThenBadCredentials() { given(this.repository.findByUsername(this.username)).willReturn(Mono.empty()); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(this.username, + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(this.username, this.password); Mono authentication = this.manager.authenticate(token); // @formatter:off @@ -91,7 +91,7 @@ public void authenticateWhenPasswordNotEqualThenBadCredentials() { .build(); // @formatter:on given(this.repository.findByUsername(user.getUsername())).willReturn(Mono.just(user)); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(this.username, + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(this.username, this.password + "INVALID"); Mono authentication = this.manager.authenticate(token); // @formatter:off @@ -110,7 +110,7 @@ public void authenticateWhenSuccessThenSuccess() { .build(); // @formatter:on given(this.repository.findByUsername(user.getUsername())).willReturn(Mono.just(user)); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(this.username, + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(this.username, this.password); Authentication authentication = this.manager.authenticate(token).block(); assertThat(authentication).isEqualTo(authentication); @@ -122,7 +122,7 @@ public void authenticateWhenPasswordEncoderAndSuccessThenSuccess() { given(this.passwordEncoder.matches(any(), any())).willReturn(true); User user = new User(this.username, this.password, AuthorityUtils.createAuthorityList("ROLE_USER")); given(this.repository.findByUsername(user.getUsername())).willReturn(Mono.just(user)); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(this.username, + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(this.username, this.password); Authentication authentication = this.manager.authenticate(token).block(); assertThat(authentication).isEqualTo(authentication); @@ -134,7 +134,7 @@ public void authenticateWhenPasswordEncoderAndFailThenFail() { given(this.passwordEncoder.matches(any(), any())).willReturn(false); User user = new User(this.username, this.password, AuthorityUtils.createAuthorityList("ROLE_USER")); given(this.repository.findByUsername(user.getUsername())).willReturn(Mono.just(user)); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(this.username, + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(this.username, this.password); Mono authentication = this.manager.authenticate(token); // @formatter:off diff --git a/core/src/test/java/org/springframework/security/authentication/TestAuthentication.java b/core/src/test/java/org/springframework/security/authentication/TestAuthentication.java index 0583c42a488..cdeb4ba1d82 100644 --- a/core/src/test/java/org/springframework/security/authentication/TestAuthentication.java +++ b/core/src/test/java/org/springframework/security/authentication/TestAuthentication.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -35,7 +35,7 @@ public static Authentication authenticatedUser() { } public static Authentication autheticated(UserDetails user) { - return new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities()); + return UsernamePasswordAuthenticationToken.authenticated(user, null, user.getAuthorities()); } } diff --git a/core/src/test/java/org/springframework/security/authentication/UserDetailsRepositoryReactiveAuthenticationManagerTests.java b/core/src/test/java/org/springframework/security/authentication/UserDetailsRepositoryReactiveAuthenticationManagerTests.java index 50e73593d26..c8f39d52e38 100644 --- a/core/src/test/java/org/springframework/security/authentication/UserDetailsRepositoryReactiveAuthenticationManagerTests.java +++ b/core/src/test/java/org/springframework/security/authentication/UserDetailsRepositoryReactiveAuthenticationManagerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -95,7 +95,7 @@ public void authenticateWhenCustomSchedulerThenUsed() { given(this.encoder.matches(any(), any())).willReturn(true); this.manager.setScheduler(this.scheduler); this.manager.setPasswordEncoder(this.encoder); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(this.user, + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(this.user, this.user.getPassword()); Authentication result = this.manager.authenticate(token).block(); verify(this.scheduler).schedule(any()); @@ -111,7 +111,7 @@ public void authenticateWhenPasswordServiceThenUpdated() { given(this.userDetailsPasswordService.updatePassword(any(), any())).willReturn(Mono.just(this.user)); this.manager.setPasswordEncoder(this.encoder); this.manager.setUserDetailsPasswordService(this.userDetailsPasswordService); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(this.user, + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(this.user, this.user.getPassword()); Authentication result = this.manager.authenticate(token).block(); verify(this.encoder).encode(this.user.getPassword()); @@ -124,7 +124,7 @@ public void authenticateWhenPasswordServiceAndBadCredentialsThenNotUpdated() { given(this.encoder.matches(any(), any())).willReturn(false); this.manager.setPasswordEncoder(this.encoder); this.manager.setUserDetailsPasswordService(this.userDetailsPasswordService); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(this.user, + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(this.user, this.user.getPassword()); assertThatExceptionOfType(BadCredentialsException.class) .isThrownBy(() -> this.manager.authenticate(token).block()); @@ -138,7 +138,7 @@ public void authenticateWhenPasswordServiceAndUpgradeFalseThenNotUpdated() { given(this.encoder.upgradeEncoding(any())).willReturn(false); this.manager.setPasswordEncoder(this.encoder); this.manager.setUserDetailsPasswordService(this.userDetailsPasswordService); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(this.user, + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(this.user, this.user.getPassword()); Authentication result = this.manager.authenticate(token).block(); verifyZeroInteractions(this.userDetailsPasswordService); @@ -152,8 +152,8 @@ public void authenticateWhenPostAuthenticationChecksFail() { this.manager.setPasswordEncoder(this.encoder); this.manager.setPostAuthenticationChecks(this.postAuthenticationChecks); assertThatExceptionOfType(LockedException.class).isThrownBy(() -> this.manager - .authenticate(new UsernamePasswordAuthenticationToken(this.user, this.user.getPassword())).block()) - .withMessage("account is locked"); + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated(this.user, this.user.getPassword())) + .block()).withMessage("account is locked"); verify(this.postAuthenticationChecks).check(eq(this.user)); } @@ -162,7 +162,7 @@ public void authenticateWhenPostAuthenticationChecksNotSet() { given(this.userDetailsService.findByUsername(any())).willReturn(Mono.just(this.user)); given(this.encoder.matches(any(), any())).willReturn(true); this.manager.setPasswordEncoder(this.encoder); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(this.user, + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(this.user, this.user.getPassword()); this.manager.authenticate(token).block(); verifyZeroInteractions(this.postAuthenticationChecks); @@ -179,7 +179,7 @@ public void authenticateWhenAccountExpiredThenException() { .build(); // @formatter:on given(this.userDetailsService.findByUsername(any())).willReturn(Mono.just(expiredUser)); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(expiredUser, + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(expiredUser, expiredUser.getPassword()); assertThatExceptionOfType(AccountExpiredException.class) .isThrownBy(() -> this.manager.authenticate(token).block()); @@ -196,7 +196,7 @@ public void authenticateWhenAccountLockedThenException() { .build(); // @formatter:on given(this.userDetailsService.findByUsername(any())).willReturn(Mono.just(lockedUser)); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(lockedUser, + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(lockedUser, lockedUser.getPassword()); assertThatExceptionOfType(LockedException.class).isThrownBy(() -> this.manager.authenticate(token).block()); } @@ -212,7 +212,7 @@ public void authenticateWhenAccountDisabledThenException() { .build(); // @formatter:on given(this.userDetailsService.findByUsername(any())).willReturn(Mono.just(disabledUser)); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(disabledUser, + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(disabledUser, disabledUser.getPassword()); assertThatExceptionOfType(DisabledException.class).isThrownBy(() -> this.manager.authenticate(token).block()); } diff --git a/core/src/test/java/org/springframework/security/authentication/UsernamePasswordAuthenticationTokenTests.java b/core/src/test/java/org/springframework/security/authentication/UsernamePasswordAuthenticationTokenTests.java index 8c3eda3dd8a..4f9e38e7666 100644 --- a/core/src/test/java/org/springframework/security/authentication/UsernamePasswordAuthenticationTokenTests.java +++ b/core/src/test/java/org/springframework/security/authentication/UsernamePasswordAuthenticationTokenTests.java @@ -33,8 +33,8 @@ public class UsernamePasswordAuthenticationTokenTests { @Test public void authenticatedPropertyContractIsSatisfied() { - UsernamePasswordAuthenticationToken grantedToken = new UsernamePasswordAuthenticationToken("Test", "Password", - AuthorityUtils.NO_AUTHORITIES); + UsernamePasswordAuthenticationToken grantedToken = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.NO_AUTHORITIES); // check default given we passed some GrantedAuthorty[]s (well, we passed empty // list) assertThat(grantedToken.isAuthenticated()).isTrue(); @@ -44,8 +44,8 @@ public void authenticatedPropertyContractIsSatisfied() { assertThat(!grantedToken.isAuthenticated()).isTrue(); // Now let's create a UsernamePasswordAuthenticationToken without any // GrantedAuthorty[]s (different constructor) - UsernamePasswordAuthenticationToken noneGrantedToken = new UsernamePasswordAuthenticationToken("Test", - "Password"); + UsernamePasswordAuthenticationToken noneGrantedToken = UsernamePasswordAuthenticationToken + .unauthenticated("Test", "Password"); assertThat(!noneGrantedToken.isAuthenticated()).isTrue(); // check we're allowed to still set it to untrusted noneGrantedToken.setAuthenticated(false); @@ -56,8 +56,8 @@ public void authenticatedPropertyContractIsSatisfied() { @Test public void gettersReturnCorrectData() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("Test", "Password", - AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO")); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO")); assertThat(token.getPrincipal()).isEqualTo("Test"); assertThat(token.getCredentials()).isEqualTo("Password"); assertThat(AuthorityUtils.authorityListToSet(token.getAuthorities())).contains("ROLE_ONE"); @@ -71,4 +71,18 @@ public void testNoArgConstructorDoesntExist() throws Exception { .isThrownBy(() -> clazz.getDeclaredConstructor((Class[]) null)); } + @Test + public void unauthenticatedFactoryMethodResultsUnauthenticatedToken() { + UsernamePasswordAuthenticationToken grantedToken = UsernamePasswordAuthenticationToken.unauthenticated("Test", + "Password"); + assertThat(grantedToken.isAuthenticated()).isFalse(); + } + + @Test + public void authenticatedFactoryMethodResultsAuthenticatedToken() { + UsernamePasswordAuthenticationToken grantedToken = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", AuthorityUtils.NO_AUTHORITIES); + assertThat(grantedToken.isAuthenticated()).isTrue(); + } + } diff --git a/core/src/test/java/org/springframework/security/authentication/anonymous/AnonymousAuthenticationTokenTests.java b/core/src/test/java/org/springframework/security/authentication/anonymous/AnonymousAuthenticationTokenTests.java index 4910b622d51..780d391418b 100644 --- a/core/src/test/java/org/springframework/security/authentication/anonymous/AnonymousAuthenticationTokenTests.java +++ b/core/src/test/java/org/springframework/security/authentication/anonymous/AnonymousAuthenticationTokenTests.java @@ -81,8 +81,8 @@ public void testNotEqualsDueToAbstractParentEqualsCheck() { @Test public void testNotEqualsDueToDifferentAuthenticationClass() { AnonymousAuthenticationToken token1 = new AnonymousAuthenticationToken("key", "Test", ROLES_12); - UsernamePasswordAuthenticationToken token2 = new UsernamePasswordAuthenticationToken("Test", "Password", - ROLES_12); + UsernamePasswordAuthenticationToken token2 = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", ROLES_12); assertThat(token1.equals(token2)).isFalse(); } diff --git a/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java b/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java index 1771721b7f0..0eb2488b5c6 100644 --- a/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java +++ b/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java @@ -74,7 +74,7 @@ public class DaoAuthenticationProviderTests { @Test public void testAuthenticateFailsForIncorrectPasswordCase() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("rod", "KOala"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("rod", "KOala"); DaoAuthenticationProvider provider = createProvider(); provider.setUserDetailsService(new MockUserDetailsServiceUserRod()); provider.setUserCache(new MockUserCache()); @@ -87,14 +87,16 @@ public void testReceivedBadCredentialsWhenCredentialsNotProvided() { DaoAuthenticationProvider provider = createProvider(); provider.setUserDetailsService(new MockUserDetailsServiceUserRod()); provider.setUserCache(new MockUserCache()); - UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken("rod", null); + UsernamePasswordAuthenticationToken authenticationToken = UsernamePasswordAuthenticationToken + .unauthenticated("rod", null); assertThatExceptionOfType(BadCredentialsException.class) .isThrownBy(() -> provider.authenticate(authenticationToken)); } @Test public void testAuthenticateFailsIfAccountExpired() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("peter", "opal"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("peter", + "opal"); DaoAuthenticationProvider provider = createProvider(); provider.setUserDetailsService(new MockUserDetailsServiceUserPeterAccountExpired()); provider.setUserCache(new MockUserCache()); @@ -103,7 +105,8 @@ public void testAuthenticateFailsIfAccountExpired() { @Test public void testAuthenticateFailsIfAccountLocked() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("peter", "opal"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("peter", + "opal"); DaoAuthenticationProvider provider = createProvider(); provider.setUserDetailsService(new MockUserDetailsServiceUserPeterAccountLocked()); provider.setUserCache(new MockUserCache()); @@ -115,17 +118,18 @@ public void testAuthenticateFailsIfCredentialsExpired() { DaoAuthenticationProvider provider = createProvider(); provider.setUserDetailsService(new MockUserDetailsServiceUserPeterCredentialsExpired()); provider.setUserCache(new MockUserCache()); - assertThatExceptionOfType(CredentialsExpiredException.class) - .isThrownBy(() -> provider.authenticate(new UsernamePasswordAuthenticationToken("peter", "opal"))); + assertThatExceptionOfType(CredentialsExpiredException.class).isThrownBy( + () -> provider.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("peter", "opal"))); // Check that wrong password causes BadCredentialsException, rather than // CredentialsExpiredException - assertThatExceptionOfType(BadCredentialsException.class).isThrownBy( - () -> provider.authenticate(new UsernamePasswordAuthenticationToken("peter", "wrong_password"))); + assertThatExceptionOfType(BadCredentialsException.class).isThrownBy(() -> provider + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("peter", "wrong_password"))); } @Test public void testAuthenticateFailsIfUserDisabled() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("peter", "opal"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("peter", + "opal"); DaoAuthenticationProvider provider = createProvider(); provider.setUserDetailsService(new MockUserDetailsServiceUserPeter()); provider.setUserCache(new MockUserCache()); @@ -134,7 +138,7 @@ public void testAuthenticateFailsIfUserDisabled() { @Test public void testAuthenticateFailsWhenAuthenticationDaoHasBackendFailure() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("rod", "koala"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("rod", "koala"); DaoAuthenticationProvider provider = createProvider(); provider.setUserDetailsService(new MockUserDetailsServiceSimulateBackendError()); provider.setUserCache(new MockUserCache()); @@ -144,7 +148,7 @@ public void testAuthenticateFailsWhenAuthenticationDaoHasBackendFailure() { @Test public void testAuthenticateFailsWithEmptyUsername() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(null, "koala"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(null, "koala"); DaoAuthenticationProvider provider = createProvider(); provider.setUserDetailsService(new MockUserDetailsServiceUserRod()); provider.setUserCache(new MockUserCache()); @@ -153,7 +157,8 @@ public void testAuthenticateFailsWithEmptyUsername() { @Test public void testAuthenticateFailsWithInvalidPassword() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("rod", "INVALID_PASSWORD"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("rod", + "INVALID_PASSWORD"); DaoAuthenticationProvider provider = createProvider(); provider.setUserDetailsService(new MockUserDetailsServiceUserRod()); provider.setUserCache(new MockUserCache()); @@ -162,7 +167,8 @@ public void testAuthenticateFailsWithInvalidPassword() { @Test public void testAuthenticateFailsWithInvalidUsernameAndHideUserNotFoundExceptionFalse() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("INVALID_USER", "koala"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("INVALID_USER", + "koala"); DaoAuthenticationProvider provider = createProvider(); provider.setHideUserNotFoundExceptions(false); // we want // UsernameNotFoundExceptions @@ -173,7 +179,8 @@ public void testAuthenticateFailsWithInvalidUsernameAndHideUserNotFoundException @Test public void testAuthenticateFailsWithInvalidUsernameAndHideUserNotFoundExceptionsWithDefaultOfTrue() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("INVALID_USER", "koala"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("INVALID_USER", + "koala"); DaoAuthenticationProvider provider = createProvider(); assertThat(provider.isHideUserNotFoundExceptions()).isTrue(); provider.setUserDetailsService(new MockUserDetailsServiceUserRod()); @@ -183,7 +190,8 @@ public void testAuthenticateFailsWithInvalidUsernameAndHideUserNotFoundException @Test public void testAuthenticateFailsWithInvalidUsernameAndChangePasswordEncoder() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("INVALID_USER", "koala"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("INVALID_USER", + "koala"); DaoAuthenticationProvider provider = createProvider(); assertThat(provider.isHideUserNotFoundExceptions()).isTrue(); provider.setUserDetailsService(new MockUserDetailsServiceUserRod()); @@ -195,7 +203,7 @@ public void testAuthenticateFailsWithInvalidUsernameAndChangePasswordEncoder() { @Test public void testAuthenticateFailsWithMixedCaseUsernameIfDefaultChanged() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("RoD", "koala"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("RoD", "koala"); DaoAuthenticationProvider provider = createProvider(); provider.setUserDetailsService(new MockUserDetailsServiceUserRod()); provider.setUserCache(new MockUserCache()); @@ -204,7 +212,7 @@ public void testAuthenticateFailsWithMixedCaseUsernameIfDefaultChanged() { @Test public void testAuthenticates() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("rod", "koala"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("rod", "koala"); token.setDetails("192.168.0.1"); DaoAuthenticationProvider provider = createProvider(); provider.setUserDetailsService(new MockUserDetailsServiceUserRod()); @@ -222,7 +230,7 @@ public void testAuthenticates() { @Test public void testAuthenticatesASecondTime() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("rod", "koala"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("rod", "koala"); DaoAuthenticationProvider provider = createProvider(); provider.setUserDetailsService(new MockUserDetailsServiceUserRod()); provider.setUserCache(new MockUserCache()); @@ -240,7 +248,7 @@ public void testAuthenticatesASecondTime() { @Test public void testAuthenticatesWithForcePrincipalAsString() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("rod", "koala"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("rod", "koala"); DaoAuthenticationProvider provider = createProvider(); provider.setUserDetailsService(new MockUserDetailsServiceUserRod()); provider.setUserCache(new MockUserCache()); @@ -258,7 +266,8 @@ public void testAuthenticatesWithForcePrincipalAsString() { public void authenticateWhenSuccessAndPasswordManagerThenUpdates() { String password = "password"; String encodedPassword = "encoded"; - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", password); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("user", + password); PasswordEncoder encoder = mock(PasswordEncoder.class); UserDetailsService userDetailsService = mock(UserDetailsService.class); UserDetailsPasswordService passwordManager = mock(UserDetailsPasswordService.class); @@ -279,7 +288,8 @@ public void authenticateWhenSuccessAndPasswordManagerThenUpdates() { @Test public void authenticateWhenBadCredentialsAndPasswordManagerThenNoUpdate() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("user", + "password"); PasswordEncoder encoder = mock(PasswordEncoder.class); UserDetailsService userDetailsService = mock(UserDetailsService.class); UserDetailsPasswordService passwordManager = mock(UserDetailsPasswordService.class); @@ -296,7 +306,8 @@ public void authenticateWhenBadCredentialsAndPasswordManagerThenNoUpdate() { @Test public void authenticateWhenNotUpgradeAndPasswordManagerThenNoUpdate() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("user", + "password"); PasswordEncoder encoder = mock(PasswordEncoder.class); UserDetailsService userDetailsService = mock(UserDetailsService.class); UserDetailsPasswordService passwordManager = mock(UserDetailsPasswordService.class); @@ -314,7 +325,7 @@ public void authenticateWhenNotUpgradeAndPasswordManagerThenNoUpdate() { @Test public void testDetectsNullBeingReturnedFromAuthenticationDao() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("rod", "koala"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("rod", "koala"); DaoAuthenticationProvider provider = createProvider(); provider.setUserDetailsService(new MockUserDetailsServiceReturnsNull()); assertThatExceptionOfType(AuthenticationServiceException.class).isThrownBy(() -> provider.authenticate(token)) @@ -335,7 +346,7 @@ public void testGettersSetters() { @Test public void testGoesBackToAuthenticationDaoToObtainLatestPasswordIfCachedPasswordSeemsIncorrect() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("rod", "koala"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("rod", "koala"); MockUserDetailsServiceUserRod authenticationDao = new MockUserDetailsServiceUserRod(); MockUserCache cache = new MockUserCache(); DaoAuthenticationProvider provider = createProvider(); @@ -348,7 +359,7 @@ public void testGoesBackToAuthenticationDaoToObtainLatestPasswordIfCachedPasswor // Now change the password the AuthenticationDao will return authenticationDao.setPassword("easternLongNeckTurtle"); // Now try authentication again, with the new password - token = new UsernamePasswordAuthenticationToken("rod", "easternLongNeckTurtle"); + token = UsernamePasswordAuthenticationToken.unauthenticated("rod", "easternLongNeckTurtle"); provider.authenticate(token); // To get this far, the new password was accepted // Check the cache was updated @@ -390,7 +401,8 @@ public void testSupports() { // SEC-2056 @Test public void testUserNotFoundEncodesPassword() throws Exception { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("missing", "koala"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("missing", + "koala"); PasswordEncoder encoder = mock(PasswordEncoder.class); given(encoder.encode(anyString())).willReturn("koala"); DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); @@ -406,7 +418,8 @@ public void testUserNotFoundEncodesPassword() throws Exception { @Test public void testUserNotFoundBCryptPasswordEncoder() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("missing", "koala"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("missing", + "koala"); PasswordEncoder encoder = new BCryptPasswordEncoder(); DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); provider.setHideUserNotFoundExceptions(false); @@ -419,7 +432,8 @@ public void testUserNotFoundBCryptPasswordEncoder() { @Test public void testUserNotFoundDefaultEncoder() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("missing", null); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("missing", + null); DaoAuthenticationProvider provider = createProvider(); provider.setHideUserNotFoundExceptions(false); provider.setUserDetailsService(new MockUserDetailsServiceUserRod()); @@ -432,8 +446,10 @@ public void testUserNotFoundDefaultEncoder() { * SEC-2056 is fixed. */ public void IGNOREtestSec2056() { - UsernamePasswordAuthenticationToken foundUser = new UsernamePasswordAuthenticationToken("rod", "koala"); - UsernamePasswordAuthenticationToken notFoundUser = new UsernamePasswordAuthenticationToken("notFound", "koala"); + UsernamePasswordAuthenticationToken foundUser = UsernamePasswordAuthenticationToken.unauthenticated("rod", + "koala"); + UsernamePasswordAuthenticationToken notFoundUser = UsernamePasswordAuthenticationToken + .unauthenticated("notFound", "koala"); PasswordEncoder encoder = new BCryptPasswordEncoder(10, new SecureRandom()); DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); provider.setHideUserNotFoundExceptions(false); @@ -467,7 +483,8 @@ private double avg(List counts) { @Test public void testUserNotFoundNullCredentials() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("missing", null); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("missing", + null); PasswordEncoder encoder = mock(PasswordEncoder.class); DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); provider.setHideUserNotFoundExceptions(false); diff --git a/core/src/test/java/org/springframework/security/authentication/event/AuthenticationEventTests.java b/core/src/test/java/org/springframework/security/authentication/event/AuthenticationEventTests.java index f2ecf729c82..605a1615467 100644 --- a/core/src/test/java/org/springframework/security/authentication/event/AuthenticationEventTests.java +++ b/core/src/test/java/org/springframework/security/authentication/event/AuthenticationEventTests.java @@ -34,8 +34,8 @@ public class AuthenticationEventTests { private Authentication getAuthentication() { - UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken("Principal", - "Credentials"); + UsernamePasswordAuthenticationToken authentication = UsernamePasswordAuthenticationToken + .unauthenticated("Principal", "Credentials"); authentication.setDetails("127.0.0.1"); return authentication; } diff --git a/core/src/test/java/org/springframework/security/authentication/event/LoggerListenerTests.java b/core/src/test/java/org/springframework/security/authentication/event/LoggerListenerTests.java index 1efd1e083e4..07133b8864f 100644 --- a/core/src/test/java/org/springframework/security/authentication/event/LoggerListenerTests.java +++ b/core/src/test/java/org/springframework/security/authentication/event/LoggerListenerTests.java @@ -30,8 +30,8 @@ public class LoggerListenerTests { private Authentication getAuthentication() { - UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken("Principal", - "Credentials"); + UsernamePasswordAuthenticationToken authentication = UsernamePasswordAuthenticationToken + .unauthenticated("Principal", "Credentials"); authentication.setDetails("127.0.0.1"); return authentication; } diff --git a/core/src/test/java/org/springframework/security/authentication/jaas/DefaultJaasAuthenticationProviderTests.java b/core/src/test/java/org/springframework/security/authentication/jaas/DefaultJaasAuthenticationProviderTests.java index 4aa88621116..3df2268f58b 100644 --- a/core/src/test/java/org/springframework/security/authentication/jaas/DefaultJaasAuthenticationProviderTests.java +++ b/core/src/test/java/org/springframework/security/authentication/jaas/DefaultJaasAuthenticationProviderTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2010-2016 the original author or authors. + * Copyright 2010-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -79,7 +79,7 @@ public void setUp() throws Exception { new AppConfigurationEntry(TestLoginModule.class.getName(), LoginModuleControlFlag.REQUIRED, Collections.emptyMap()) }; given(configuration.getAppConfigurationEntry(this.provider.getLoginContextName())).willReturn(aces); - this.token = new UsernamePasswordAuthenticationToken("user", "password"); + this.token = UsernamePasswordAuthenticationToken.unauthenticated("user", "password"); ReflectionTestUtils.setField(this.provider, "log", this.log); } @@ -113,15 +113,15 @@ public void authenticateSuccess() { @Test public void authenticateBadPassword() { - assertThatExceptionOfType(AuthenticationException.class) - .isThrownBy(() -> this.provider.authenticate(new UsernamePasswordAuthenticationToken("user", "asdf"))); + assertThatExceptionOfType(AuthenticationException.class).isThrownBy( + () -> this.provider.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "asdf"))); verifyFailedLogin(); } @Test public void authenticateBadUser() { - assertThatExceptionOfType(AuthenticationException.class).isThrownBy( - () -> this.provider.authenticate(new UsernamePasswordAuthenticationToken("asdf", "password"))); + assertThatExceptionOfType(AuthenticationException.class).isThrownBy(() -> this.provider + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("asdf", "password"))); verifyFailedLogin(); } diff --git a/core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java b/core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java index 46ade0722d8..4da9805811e 100644 --- a/core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java +++ b/core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java @@ -75,8 +75,8 @@ public void setUp() { @Test public void testBadPassword() { - assertThatExceptionOfType(AuthenticationException.class).isThrownBy( - () -> this.jaasProvider.authenticate(new UsernamePasswordAuthenticationToken("user", "asdf"))); + assertThatExceptionOfType(AuthenticationException.class).isThrownBy(() -> this.jaasProvider + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "asdf"))); assertThat(this.eventCheck.failedEvent).as("Failure event not fired").isNotNull(); assertThat(this.eventCheck.failedEvent.getException()).withFailMessage("Failure event exception was null") .isNotNull(); @@ -85,8 +85,8 @@ public void testBadPassword() { @Test public void testBadUser() { - assertThatExceptionOfType(AuthenticationException.class).isThrownBy( - () -> this.jaasProvider.authenticate(new UsernamePasswordAuthenticationToken("asdf", "password"))); + assertThatExceptionOfType(AuthenticationException.class).isThrownBy(() -> this.jaasProvider + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("asdf", "password"))); assertThat(this.eventCheck.failedEvent).as("Failure event not fired").isNotNull(); assertThat(this.eventCheck.failedEvent.getException()).withFailMessage("Failure event exception was null") .isNotNull(); @@ -158,8 +158,8 @@ public void detectsMissingLoginContextName() throws Exception { @Test public void testFull() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password", - AuthorityUtils.createAuthorityList("ROLE_ONE")); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated("user", + "password", AuthorityUtils.createAuthorityList("ROLE_ONE")); assertThat(this.jaasProvider.supports(UsernamePasswordAuthenticationToken.class)).isTrue(); Authentication auth = this.jaasProvider.authenticate(token); assertThat(this.jaasProvider.getAuthorityGranters()).isNotNull(); @@ -198,7 +198,7 @@ public void testLoginExceptionResolver() { assertThat(this.jaasProvider.getLoginExceptionResolver()).isNotNull(); this.jaasProvider.setLoginExceptionResolver((e) -> new LockedException("This is just a test!")); try { - this.jaasProvider.authenticate(new UsernamePasswordAuthenticationToken("user", "password")); + this.jaasProvider.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password")); } catch (LockedException ex) { } @@ -221,7 +221,8 @@ public void testLogout() throws Exception { @Test public void testNullDefaultAuthorities() { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("user", + "password"); assertThat(this.jaasProvider.supports(UsernamePasswordAuthenticationToken.class)).isTrue(); Authentication auth = this.jaasProvider.authenticate(token); assertThat(auth.getAuthorities()).withFailMessage("Only ROLE_TEST1 and ROLE_TEST2 should have been returned") diff --git a/core/src/test/java/org/springframework/security/authentication/jaas/Sec760Tests.java b/core/src/test/java/org/springframework/security/authentication/jaas/Sec760Tests.java index 6dd80ffe06c..8fe9cdfa227 100644 --- a/core/src/test/java/org/springframework/security/authentication/jaas/Sec760Tests.java +++ b/core/src/test/java/org/springframework/security/authentication/jaas/Sec760Tests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -56,8 +56,8 @@ private void testConfigureJaasCase(JaasAuthenticationProvider p1, JaasAuthentica } private void testAuthenticate(JaasAuthenticationProvider p1) { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password", - AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO")); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated("user", + "password", AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO")); Authentication auth = p1.authenticate(token); assertThat(auth).isNotNull(); } diff --git a/core/src/test/java/org/springframework/security/authentication/jaas/SecurityContextLoginModuleTests.java b/core/src/test/java/org/springframework/security/authentication/jaas/SecurityContextLoginModuleTests.java index 9b631a303a5..293d85bd448 100644 --- a/core/src/test/java/org/springframework/security/authentication/jaas/SecurityContextLoginModuleTests.java +++ b/core/src/test/java/org/springframework/security/authentication/jaas/SecurityContextLoginModuleTests.java @@ -44,7 +44,7 @@ public class SecurityContextLoginModuleTests { private Subject subject = new Subject(false, new HashSet<>(), new HashSet<>(), new HashSet<>()); - private UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("principal", + private UsernamePasswordAuthenticationToken auth = UsernamePasswordAuthenticationToken.unauthenticated("principal", "credentials"); @BeforeEach diff --git a/core/src/test/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProviderTests.java b/core/src/test/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProviderTests.java index e2276352949..2cac2be22a9 100644 --- a/core/src/test/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProviderTests.java +++ b/core/src/test/java/org/springframework/security/authentication/rcp/RemoteAuthenticationProviderTests.java @@ -40,8 +40,8 @@ public class RemoteAuthenticationProviderTests { public void testExceptionsGetPassedBackToCaller() { RemoteAuthenticationProvider provider = new RemoteAuthenticationProvider(); provider.setRemoteAuthenticationManager(new MockRemoteAuthenticationManager(false)); - assertThatExceptionOfType(RemoteAuthenticationException.class) - .isThrownBy(() -> provider.authenticate(new UsernamePasswordAuthenticationToken("rod", "password"))); + assertThatExceptionOfType(RemoteAuthenticationException.class).isThrownBy( + () -> provider.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("rod", "password"))); } @Test @@ -63,7 +63,8 @@ public void testStartupChecksAuthenticationManagerSet() throws Exception { public void testSuccessfulAuthenticationCreatesObject() { RemoteAuthenticationProvider provider = new RemoteAuthenticationProvider(); provider.setRemoteAuthenticationManager(new MockRemoteAuthenticationManager(true)); - Authentication result = provider.authenticate(new UsernamePasswordAuthenticationToken("rod", "password")); + Authentication result = provider + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("rod", "password")); assertThat(result.getPrincipal()).isEqualTo("rod"); assertThat(result.getCredentials()).isEqualTo("password"); assertThat(AuthorityUtils.authorityListToSet(result.getAuthorities())).contains("foo"); @@ -73,8 +74,8 @@ public void testSuccessfulAuthenticationCreatesObject() { public void testNullCredentialsDoesNotCauseNullPointerException() { RemoteAuthenticationProvider provider = new RemoteAuthenticationProvider(); provider.setRemoteAuthenticationManager(new MockRemoteAuthenticationManager(false)); - assertThatExceptionOfType(RemoteAuthenticationException.class) - .isThrownBy(() -> provider.authenticate(new UsernamePasswordAuthenticationToken("rod", null))); + assertThatExceptionOfType(RemoteAuthenticationException.class).isThrownBy( + () -> provider.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("rod", null))); } @Test diff --git a/core/src/test/java/org/springframework/security/authentication/rememberme/RememberMeAuthenticationTokenTests.java b/core/src/test/java/org/springframework/security/authentication/rememberme/RememberMeAuthenticationTokenTests.java index fa6b817768f..fc89bc3760c 100644 --- a/core/src/test/java/org/springframework/security/authentication/rememberme/RememberMeAuthenticationTokenTests.java +++ b/core/src/test/java/org/springframework/security/authentication/rememberme/RememberMeAuthenticationTokenTests.java @@ -76,8 +76,8 @@ public void testNotEqualsDueToAbstractParentEqualsCheck() { @Test public void testNotEqualsDueToDifferentAuthenticationClass() { RememberMeAuthenticationToken token1 = new RememberMeAuthenticationToken("key", "Test", ROLES_12); - UsernamePasswordAuthenticationToken token2 = new UsernamePasswordAuthenticationToken("Test", "Password", - ROLES_12); + UsernamePasswordAuthenticationToken token2 = UsernamePasswordAuthenticationToken.authenticated("Test", + "Password", ROLES_12); assertThat(token1.equals(token2)).isFalse(); } diff --git a/core/src/test/java/org/springframework/security/core/context/SecurityContextHolderTests.java b/core/src/test/java/org/springframework/security/core/context/SecurityContextHolderTests.java index 563f7a307ad..6aecd517ac2 100644 --- a/core/src/test/java/org/springframework/security/core/context/SecurityContextHolderTests.java +++ b/core/src/test/java/org/springframework/security/core/context/SecurityContextHolderTests.java @@ -41,7 +41,7 @@ public final void setUp() { @Test public void testContextHolderGetterSetterClearer() { SecurityContext sc = new SecurityContextImpl(); - sc.setAuthentication(new UsernamePasswordAuthenticationToken("Foobar", "pass")); + sc.setAuthentication(UsernamePasswordAuthenticationToken.unauthenticated("Foobar", "pass")); SecurityContextHolder.setContext(sc); assertThat(SecurityContextHolder.getContext()).isEqualTo(sc); SecurityContextHolder.clearContext(); diff --git a/core/src/test/java/org/springframework/security/core/context/SecurityContextImplTests.java b/core/src/test/java/org/springframework/security/core/context/SecurityContextImplTests.java index 645151b7cff..3e15ea57234 100644 --- a/core/src/test/java/org/springframework/security/core/context/SecurityContextImplTests.java +++ b/core/src/test/java/org/springframework/security/core/context/SecurityContextImplTests.java @@ -40,7 +40,7 @@ public void testEmptyObjectsAreEquals() { @Test public void testSecurityContextCorrectOperation() { SecurityContext context = new SecurityContextImpl(); - Authentication auth = new UsernamePasswordAuthenticationToken("rod", "koala"); + Authentication auth = UsernamePasswordAuthenticationToken.unauthenticated("rod", "koala"); context.setAuthentication(auth); assertThat(context.getAuthentication()).isEqualTo(auth); assertThat(context.toString().lastIndexOf("rod") != -1).isTrue(); diff --git a/core/src/test/java/org/springframework/security/jackson2/SecurityContextMixinTests.java b/core/src/test/java/org/springframework/security/jackson2/SecurityContextMixinTests.java index ced0820357c..524d75d99d7 100644 --- a/core/src/test/java/org/springframework/security/jackson2/SecurityContextMixinTests.java +++ b/core/src/test/java/org/springframework/security/jackson2/SecurityContextMixinTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 the original author or authors. + * Copyright 2015-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -47,7 +47,7 @@ public class SecurityContextMixinTests extends AbstractMixinTests { @Test public void securityContextSerializeTest() throws JsonProcessingException, JSONException { SecurityContext context = new SecurityContextImpl(); - context.setAuthentication(new UsernamePasswordAuthenticationToken("admin", "1234", + context.setAuthentication(UsernamePasswordAuthenticationToken.authenticated("admin", "1234", Collections.singleton(new SimpleGrantedAuthority("ROLE_USER")))); String actualJson = this.mapper.writeValueAsString(context); JSONAssert.assertEquals(SECURITY_CONTEXT_JSON, actualJson, true); diff --git a/core/src/test/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenMixinTests.java b/core/src/test/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenMixinTests.java index f28bfae6e9e..21d8815642e 100644 --- a/core/src/test/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenMixinTests.java +++ b/core/src/test/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenMixinTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 the original author or authors. + * Copyright 2015-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -71,7 +71,8 @@ public class UsernamePasswordAuthenticationTokenMixinTests extends AbstractMixin @Test public void serializeUnauthenticatedUsernamePasswordAuthenticationTokenMixinTest() throws JsonProcessingException, JSONException { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("admin", "1234"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("admin", + "1234"); String serializedJson = this.mapper.writeValueAsString(token); JSONAssert.assertEquals(UNAUTHENTICATED_STRINGPRINCIPAL_JSON, serializedJson, true); } @@ -80,8 +81,8 @@ public void serializeUnauthenticatedUsernamePasswordAuthenticationTokenMixinTest public void serializeAuthenticatedUsernamePasswordAuthenticationTokenMixinTest() throws JsonProcessingException, JSONException { User user = createDefaultUser(); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUsername(), - user.getPassword(), user.getAuthorities()); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken + .authenticated(user.getUsername(), user.getPassword(), user.getAuthorities()); String serializedJson = this.mapper.writeValueAsString(token); JSONAssert.assertEquals(AUTHENTICATED_STRINGPRINCIPAL_JSON, serializedJson, true); } @@ -140,7 +141,7 @@ public void serializeAuthenticatedUsernamePasswordAuthenticationTokenMixinWithNo throws JsonProcessingException, JSONException { NonUserPrincipal principal = new NonUserPrincipal(); principal.setUsername("admin"); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(principal, null, + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated(principal, null, new ArrayList<>()); String actualJson = this.mapper.writeValueAsString(token); JSONAssert.assertEquals(AUTHENTICATED_NON_USER_PRINCIPAL_JSON, actualJson, true); @@ -170,7 +171,8 @@ public void deserializeAuthenticatedUsernamePasswordAuthenticationTokenWithDetai @Test public void serializingThenDeserializingWithNoCredentialsOrDetailsShouldWork() throws IOException { - UsernamePasswordAuthenticationToken original = new UsernamePasswordAuthenticationToken("Frodo", null); + UsernamePasswordAuthenticationToken original = UsernamePasswordAuthenticationToken.unauthenticated("Frodo", + null); String serialized = this.mapper.writeValueAsString(original); UsernamePasswordAuthenticationToken deserialized = this.mapper.readValue(serialized, UsernamePasswordAuthenticationToken.class); @@ -181,7 +183,8 @@ public void serializingThenDeserializingWithNoCredentialsOrDetailsShouldWork() t public void serializingThenDeserializingWithConfiguredObjectMapperShouldWork() throws IOException { this.mapper.setDefaultPropertyInclusion(Value.construct(Include.ALWAYS, Include.NON_NULL)) .setSerializationInclusion(Include.NON_ABSENT); - UsernamePasswordAuthenticationToken original = new UsernamePasswordAuthenticationToken("Frodo", null); + UsernamePasswordAuthenticationToken original = UsernamePasswordAuthenticationToken.unauthenticated("Frodo", + null); String serialized = this.mapper.writeValueAsString(original); UsernamePasswordAuthenticationToken deserialized = this.mapper.readValue(serialized, UsernamePasswordAuthenticationToken.class); @@ -190,8 +193,8 @@ public void serializingThenDeserializingWithConfiguredObjectMapperShouldWork() t private UsernamePasswordAuthenticationToken createToken() { User user = createDefaultUser(); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user, user.getPassword(), - user.getAuthorities()); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated(user, + user.getPassword(), user.getAuthorities()); return token; } diff --git a/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java b/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java index 4192377632b..a04b84bdc36 100644 --- a/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java +++ b/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -344,14 +344,14 @@ public void updateUserDoesNotSaveAuthoritiesIfEnableAuthoritiesIsFalse() { @Test public void createNewAuthenticationUsesNullPasswordToKeepPassordsSave() { insertJoe(); - UsernamePasswordAuthenticationToken currentAuth = new UsernamePasswordAuthenticationToken("joe", null, + UsernamePasswordAuthenticationToken currentAuth = UsernamePasswordAuthenticationToken.authenticated("joe", null, AuthorityUtils.createAuthorityList("ROLE_USER")); Authentication updatedAuth = this.manager.createNewAuthentication(currentAuth, "new"); assertThat(updatedAuth.getCredentials()).isNull(); } private Authentication authenticateJoe() { - UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("joe", "password", + UsernamePasswordAuthenticationToken auth = UsernamePasswordAuthenticationToken.authenticated("joe", "password", joe.getAuthorities()); SecurityContextHolder.getContext().setAuthentication(auth); return auth; diff --git a/docs/modules/ROOT/pages/features/integrations/concurrency.adoc b/docs/modules/ROOT/pages/features/integrations/concurrency.adoc index 32535f27204..69c5978bcb8 100644 --- a/docs/modules/ROOT/pages/features/integrations/concurrency.adoc +++ b/docs/modules/ROOT/pages/features/integrations/concurrency.adoc @@ -137,7 +137,7 @@ You can see an example of how it might be used below: ---- SecurityContext context = SecurityContextHolder.createEmptyContext(); Authentication authentication = - new UsernamePasswordAuthenticationToken("user","doesnotmatter", AuthorityUtils.createAuthorityList("ROLE_USER")); + UsernamePasswordAuthenticationToken.authenticated("user","doesnotmatter", AuthorityUtils.createAuthorityList("ROLE_USER")); context.setAuthentication(authentication); SimpleAsyncTaskExecutor delegateExecutor = diff --git a/docs/modules/ROOT/pages/servlet/integrations/concurrency.adoc b/docs/modules/ROOT/pages/servlet/integrations/concurrency.adoc index 3d8036baf87..23bb319d7c7 100644 --- a/docs/modules/ROOT/pages/servlet/integrations/concurrency.adoc +++ b/docs/modules/ROOT/pages/servlet/integrations/concurrency.adoc @@ -89,7 +89,7 @@ You can see an example of how it might be used below: ---- SecurityContext context = SecurityContextHolder.createEmptyContext(); Authentication authentication = - new UsernamePasswordAuthenticationToken("user","doesnotmatter", AuthorityUtils.createAuthorityList("ROLE_USER")); + UsernamePasswordAuthenticationToken.authenticated("user","doesnotmatter", AuthorityUtils.createAuthorityList("ROLE_USER")); context.setAuthentication(authentication); SimpleAsyncTaskExecutor delegateExecutor = diff --git a/docs/modules/ROOT/pages/servlet/test/method.adoc b/docs/modules/ROOT/pages/servlet/test/method.adoc index e5e639464e7..5b169a86047 100644 --- a/docs/modules/ROOT/pages/servlet/test/method.adoc +++ b/docs/modules/ROOT/pages/servlet/test/method.adoc @@ -512,7 +512,7 @@ public class WithMockCustomUserSecurityContextFactory CustomUserDetails principal = new CustomUserDetails(customUser.name(), customUser.username()); Authentication auth = - new UsernamePasswordAuthenticationToken(principal, "password", principal.getAuthorities()); + UsernamePasswordAuthenticationToken.authenticated(principal, "password", principal.getAuthorities()); context.setAuthentication(auth); return context; } @@ -558,7 +558,7 @@ final class WithUserDetailsSecurityContextFactory String username = withUser.value(); Assert.hasLength(username, "value() must be non-empty String"); UserDetails principal = userDetailsService.loadUserByUsername(username); - Authentication authentication = new UsernamePasswordAuthenticationToken(principal, principal.getPassword(), principal.getAuthorities()); + Authentication authentication = UsernamePasswordAuthenticationToken.authenticated(principal, principal.getPassword(), principal.getAuthorities()); SecurityContext context = SecurityContextHolder.createEmptyContext(); context.setAuthentication(authentication); return context; diff --git a/itest/context/src/integration-test/java/org/springframework/security/integration/SEC936ApplicationContextTests.java b/itest/context/src/integration-test/java/org/springframework/security/integration/SEC936ApplicationContextTests.java index cc49be6d4e0..028d94e07e2 100644 --- a/itest/context/src/integration-test/java/org/springframework/security/integration/SEC936ApplicationContextTests.java +++ b/itest/context/src/integration-test/java/org/springframework/security/integration/SEC936ApplicationContextTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -46,7 +46,7 @@ public class SEC936ApplicationContextTests { @Test public void securityInterceptorHandlesCallWithNoTargetObject() { SecurityContextHolder.getContext() - .setAuthentication(new UsernamePasswordAuthenticationToken("bob", "bobspassword")); + .setAuthentication(UsernamePasswordAuthenticationToken.unauthenticated("bob", "bobspassword")); assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(this.sessionRegistry::getAllPrincipals); } diff --git a/itest/context/src/integration-test/java/org/springframework/security/integration/python/PythonInterpreterBasedSecurityTests.java b/itest/context/src/integration-test/java/org/springframework/security/integration/python/PythonInterpreterBasedSecurityTests.java index 2958b435fc0..df4c34f69d5 100644 --- a/itest/context/src/integration-test/java/org/springframework/security/integration/python/PythonInterpreterBasedSecurityTests.java +++ b/itest/context/src/integration-test/java/org/springframework/security/integration/python/PythonInterpreterBasedSecurityTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -35,7 +35,7 @@ public class PythonInterpreterBasedSecurityTests { @Test public void serviceMethod() { SecurityContextHolder.getContext() - .setAuthentication(new UsernamePasswordAuthenticationToken("bob", "bobspassword")); + .setAuthentication(UsernamePasswordAuthenticationToken.unauthenticated("bob", "bobspassword")); // for (int i=0; i < 1000; i++) { this.service.someMethod(); diff --git a/itest/context/src/integration-test/java/org/springframework/security/performance/FilterChainPerformanceTests.java b/itest/context/src/integration-test/java/org/springframework/security/performance/FilterChainPerformanceTests.java index e53d4f839e6..50260081359 100644 --- a/itest/context/src/integration-test/java/org/springframework/security/performance/FilterChainPerformanceTests.java +++ b/itest/context/src/integration-test/java/org/springframework/security/performance/FilterChainPerformanceTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -58,7 +58,7 @@ public class FilterChainPerformanceTests { private static StopWatch sw = new StopWatch("Filter Chain Performance Tests"); - private final UsernamePasswordAuthenticationToken user = new UsernamePasswordAuthenticationToken("bob", + private final UsernamePasswordAuthenticationToken user = UsernamePasswordAuthenticationToken.authenticated("bob", "bobspassword", createRoles(N_AUTHORITIES)); private HttpSession session; @@ -129,8 +129,8 @@ public void provideDataOnScalingWithNumberOfAuthoritiesUserHas() throws Exceptio StopWatch sw = new StopWatch("Scaling with nAuthorities"); for (int user = 0; user < N_AUTHORITIES / 10; user++) { int nAuthorities = (user != 0) ? user * 10 : 1; - SecurityContextHolder.getContext().setAuthentication( - new UsernamePasswordAuthenticationToken("bob", "bobspassword", createRoles(nAuthorities))); + SecurityContextHolder.getContext().setAuthentication(UsernamePasswordAuthenticationToken + .authenticated("bob", "bobspassword", createRoles(nAuthorities))); this.session.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext()); SecurityContextHolder.clearContext(); diff --git a/itest/misc/src/integration-test/java/org/springframework/security/context/SecurityContextHolderMTTests.java b/itest/misc/src/integration-test/java/org/springframework/security/context/SecurityContextHolderMTTests.java index 4a09b0afc33..380941cad6c 100644 --- a/itest/misc/src/integration-test/java/org/springframework/security/context/SecurityContextHolderMTTests.java +++ b/itest/misc/src/integration-test/java/org/springframework/security/context/SecurityContextHolderMTTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -117,7 +117,7 @@ private void loadStartAndWaitForThreads(boolean topLevelThread, String prefix, i } else if (expectAllThreadsToUseIdenticalAuthentication) { // A global SecurityContextHolder.getContext() - .setAuthentication(new UsernamePasswordAuthenticationToken("GLOBAL_USERNAME", + .setAuthentication(UsernamePasswordAuthenticationToken.unauthenticated("GLOBAL_USERNAME", "pass")); for (int i = 0; i < threads.length; i++) { @@ -182,7 +182,7 @@ private Thread makeThread(final String threadIdentifier, final boolean topLevelT public void run() { if (injectAuthIntoCurrentThread) { // Set authentication in this thread - SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken( + SecurityContextHolder.getContext().setAuthentication(UsernamePasswordAuthenticationToken.authenticated( expectedUsername, "pass")); //System.out.println(threadIdentifier + " - set to " + SecurityContextHolder.getContext().getAuthentication()); diff --git a/ldap/src/integration-test/java/org/springframework/security/ldap/authentication/BindAuthenticatorTests.java b/ldap/src/integration-test/java/org/springframework/security/ldap/authentication/BindAuthenticatorTests.java index bfffaa17de7..789df1813de 100644 --- a/ldap/src/integration-test/java/org/springframework/security/ldap/authentication/BindAuthenticatorTests.java +++ b/ldap/src/integration-test/java/org/springframework/security/ldap/authentication/BindAuthenticatorTests.java @@ -56,14 +56,14 @@ public class BindAuthenticatorTests { public void setUp() { this.authenticator = new BindAuthenticator(this.contextSource); this.authenticator.setMessageSource(new SpringSecurityMessageSource()); - this.bob = new UsernamePasswordAuthenticationToken("bob", "bobspassword"); + this.bob = UsernamePasswordAuthenticationToken.unauthenticated("bob", "bobspassword"); } @Test public void emptyPasswordIsRejected() { - assertThatExceptionOfType(BadCredentialsException.class) - .isThrownBy(() -> this.authenticator.authenticate(new UsernamePasswordAuthenticationToken("jen", ""))); + assertThatExceptionOfType(BadCredentialsException.class).isThrownBy( + () -> this.authenticator.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("jen", ""))); } @Test @@ -72,14 +72,15 @@ public void testAuthenticationWithCorrectPasswordSucceeds() { DirContextOperations user = this.authenticator.authenticate(this.bob); assertThat(user.getStringAttribute("uid")).isEqualTo("bob"); - this.authenticator.authenticate(new UsernamePasswordAuthenticationToken("mouse, jerry", "jerryspassword")); + this.authenticator + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("mouse, jerry", "jerryspassword")); } @Test public void testAuthenticationWithInvalidUserNameFails() { this.authenticator.setUserDnPatterns(new String[] { "uid={0},ou=people" }); assertThatExceptionOfType(BadCredentialsException.class).isThrownBy(() -> this.authenticator - .authenticate(new UsernamePasswordAuthenticationToken("nonexistentsuser", "password"))); + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("nonexistentsuser", "password"))); } @Test @@ -93,14 +94,18 @@ public void testAuthenticationWithUserSearch() throws Exception { assertThat(result.getStringAttribute("cn")).isEqualTo("Bob Hamilton"); // SEC-1444 this.authenticator.setUserSearch(new FilterBasedLdapUserSearch("ou=people", "(cn={0})", this.contextSource)); - this.authenticator.authenticate(new UsernamePasswordAuthenticationToken("mouse, jerry", "jerryspassword")); - this.authenticator.authenticate(new UsernamePasswordAuthenticationToken("slash/guy", "slashguyspassword")); + this.authenticator + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("mouse, jerry", "jerryspassword")); + this.authenticator + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("slash/guy", "slashguyspassword")); // SEC-1661 this.authenticator.setUserSearch( new FilterBasedLdapUserSearch("ou=\\\"quoted people\\\"", "(cn={0})", this.contextSource)); - this.authenticator.authenticate(new UsernamePasswordAuthenticationToken("quote\"guy", "quoteguyspassword")); + this.authenticator + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("quote\"guy", "quoteguyspassword")); this.authenticator.setUserSearch(new FilterBasedLdapUserSearch("", "(cn={0})", this.contextSource)); - this.authenticator.authenticate(new UsernamePasswordAuthenticationToken("quote\"guy", "quoteguyspassword")); + this.authenticator + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("quote\"guy", "quoteguyspassword")); } /* @@ -127,8 +132,8 @@ public void testAuthenticationWithUserSearch() throws Exception { @Test public void testAuthenticationWithWrongPasswordFails() { this.authenticator.setUserDnPatterns(new String[] { "uid={0},ou=people" }); - assertThatExceptionOfType(BadCredentialsException.class).isThrownBy( - () -> this.authenticator.authenticate(new UsernamePasswordAuthenticationToken("bob", "wrongpassword"))); + assertThatExceptionOfType(BadCredentialsException.class).isThrownBy(() -> this.authenticator + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("bob", "wrongpassword"))); } @Test diff --git a/ldap/src/integration-test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorTests.java b/ldap/src/integration-test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorTests.java index 645da5c9623..0994a2b4b41 100644 --- a/ldap/src/integration-test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorTests.java +++ b/ldap/src/integration-test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorTests.java @@ -63,8 +63,8 @@ public void setUp() { this.authenticator = new PasswordComparisonAuthenticator(this.contextSource); this.authenticator.setPasswordEncoder(NoOpPasswordEncoder.getInstance()); this.authenticator.setUserDnPatterns(new String[] { "uid={0},ou=people" }); - this.bob = new UsernamePasswordAuthenticationToken("bob", "bobspassword"); - this.ben = new UsernamePasswordAuthenticationToken("ben", "benspassword"); + this.bob = UsernamePasswordAuthenticationToken.unauthenticated("bob", "bobspassword"); + this.ben = UsernamePasswordAuthenticationToken.unauthenticated("ben", "benspassword"); } @Test @@ -81,16 +81,16 @@ public void testFailedSearchGivesUserNotFoundException() throws Exception { .isEmpty(); this.authenticator.setUserSearch(new MockUserSearch(null)); this.authenticator.afterPropertiesSet(); - assertThatExceptionOfType(UsernameNotFoundException.class).isThrownBy( - () -> this.authenticator.authenticate(new UsernamePasswordAuthenticationToken("Joe", "pass"))); + assertThatExceptionOfType(UsernameNotFoundException.class).isThrownBy(() -> this.authenticator + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("Joe", "pass"))); } @Test public void testLdapPasswordCompareFailsWithWrongPassword() { // Don't retrieve the password this.authenticator.setUserAttributes(new String[] { "uid", "cn", "sn" }); - assertThatExceptionOfType(BadCredentialsException.class).isThrownBy( - () -> this.authenticator.authenticate(new UsernamePasswordAuthenticationToken("bob", "wrongpass"))); + assertThatExceptionOfType(BadCredentialsException.class).isThrownBy(() -> this.authenticator + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("bob", "wrongpass"))); } @Test @@ -131,14 +131,14 @@ public void testPasswordEncoderCantBeNull() { @Test public void testUseOfDifferentPasswordAttributeSucceeds() { this.authenticator.setPasswordAttributeName("uid"); - this.authenticator.authenticate(new UsernamePasswordAuthenticationToken("bob", "bob")); + this.authenticator.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("bob", "bob")); } @Test public void testLdapCompareWithDifferentPasswordAttributeSucceeds() { this.authenticator.setUserAttributes(new String[] { "uid" }); this.authenticator.setPasswordAttributeName("cn"); - this.authenticator.authenticate(new UsernamePasswordAuthenticationToken("ben", "Ben Alex")); + this.authenticator.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("ben", "Ben Alex")); } @Test @@ -152,7 +152,8 @@ public void testWithUserSearch() { ctx.setAttributeValue("userPassword", "bobspassword"); this.authenticator.setUserSearch(new MockUserSearch(ctx)); - this.authenticator.authenticate(new UsernamePasswordAuthenticationToken("shouldntbeused", "bobspassword")); + this.authenticator + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("shouldntbeused", "bobspassword")); } } diff --git a/ldap/src/integration-test/java/org/springframework/security/ldap/userdetails/LdapUserDetailsManagerTests.java b/ldap/src/integration-test/java/org/springframework/security/ldap/userdetails/LdapUserDetailsManagerTests.java index ee2d1be55eb..db29d648807 100644 --- a/ldap/src/integration-test/java/org/springframework/security/ldap/userdetails/LdapUserDetailsManagerTests.java +++ b/ldap/src/integration-test/java/org/springframework/security/ldap/userdetails/LdapUserDetailsManagerTests.java @@ -192,8 +192,8 @@ public void testPasswordChangeWithCorrectOldPasswordSucceeds() { this.mgr.createUser(p.createUserDetails()); - SecurityContextHolder.getContext().setAuthentication( - new UsernamePasswordAuthenticationToken("johnyossarian", "yossarianspassword", TEST_AUTHORITIES)); + SecurityContextHolder.getContext().setAuthentication(UsernamePasswordAuthenticationToken + .authenticated("johnyossarian", "yossarianspassword", TEST_AUTHORITIES)); this.mgr.changePassword("yossarianspassword", "yossariansnewpassword"); @@ -211,8 +211,8 @@ public void testPasswordChangeWithWrongOldPasswordFails() { p.setPassword("yossarianspassword"); p.setAuthorities(TEST_AUTHORITIES); this.mgr.createUser(p.createUserDetails()); - SecurityContextHolder.getContext().setAuthentication( - new UsernamePasswordAuthenticationToken("johnyossarian", "yossarianspassword", TEST_AUTHORITIES)); + SecurityContextHolder.getContext().setAuthentication(UsernamePasswordAuthenticationToken + .authenticated("johnyossarian", "yossarianspassword", TEST_AUTHORITIES)); assertThatExceptionOfType(BadCredentialsException.class) .isThrownBy(() -> this.mgr.changePassword("wrongpassword", "yossariansnewpassword")); } diff --git a/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java b/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java index 5b7fb37ce54..5263f9cecb8 100644 --- a/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java +++ b/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -99,7 +99,7 @@ protected Authentication createSuccessfulAuthentication(UsernamePasswordAuthenti UserDetails user) { Object password = this.useAuthenticationRequestCredentials ? authentication.getCredentials() : user.getPassword(); - UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(user, password, + UsernamePasswordAuthenticationToken result = UsernamePasswordAuthenticationToken.authenticated(user, password, this.authoritiesMapper.mapAuthorities(user.getAuthorities())); result.setDetails(authentication.getDetails()); this.logger.debug("Authenticated user"); diff --git a/ldap/src/test/java/org/springframework/security/ldap/authentication/LdapAuthenticationProviderTests.java b/ldap/src/test/java/org/springframework/security/ldap/authentication/LdapAuthenticationProviderTests.java index c006829f183..092523f2277 100644 --- a/ldap/src/test/java/org/springframework/security/ldap/authentication/LdapAuthenticationProviderTests.java +++ b/ldap/src/test/java/org/springframework/security/ldap/authentication/LdapAuthenticationProviderTests.java @@ -67,16 +67,17 @@ public void testDefaultMapperIsSet() { public void testEmptyOrNullUserNameThrowsException() { LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(), new MockAuthoritiesPopulator()); - assertThatExceptionOfType(BadCredentialsException.class) - .isThrownBy(() -> ldapProvider.authenticate(new UsernamePasswordAuthenticationToken(null, "password"))); assertThatExceptionOfType(BadCredentialsException.class).isThrownBy( - () -> ldapProvider.authenticate(new UsernamePasswordAuthenticationToken("", "bobspassword"))); + () -> ldapProvider.authenticate(UsernamePasswordAuthenticationToken.unauthenticated(null, "password"))); + assertThatExceptionOfType(BadCredentialsException.class).isThrownBy(() -> ldapProvider + .authenticate(UsernamePasswordAuthenticationToken.unauthenticated("", "bobspassword"))); } @Test public void usernameNotFoundExceptionIsHiddenByDefault() { final LdapAuthenticator authenticator = mock(LdapAuthenticator.class); - final UsernamePasswordAuthenticationToken joe = new UsernamePasswordAuthenticationToken("joe", "password"); + final UsernamePasswordAuthenticationToken joe = UsernamePasswordAuthenticationToken.unauthenticated("joe", + "password"); given(authenticator.authenticate(joe)).willThrow(new UsernameNotFoundException("nobody")); LdapAuthenticationProvider provider = new LdapAuthenticationProvider(authenticator); assertThatExceptionOfType(BadCredentialsException.class).isThrownBy(() -> provider.authenticate(joe)); @@ -85,7 +86,8 @@ public void usernameNotFoundExceptionIsHiddenByDefault() { @Test public void usernameNotFoundExceptionIsNotHiddenIfConfigured() { final LdapAuthenticator authenticator = mock(LdapAuthenticator.class); - final UsernamePasswordAuthenticationToken joe = new UsernamePasswordAuthenticationToken("joe", "password"); + final UsernamePasswordAuthenticationToken joe = UsernamePasswordAuthenticationToken.unauthenticated("joe", + "password"); given(authenticator.authenticate(joe)).willThrow(new UsernameNotFoundException("nobody")); LdapAuthenticationProvider provider = new LdapAuthenticationProvider(authenticator); provider.setHideUserNotFoundExceptions(false); @@ -100,7 +102,7 @@ public void normalUsage() { userMapper.setRoleAttributes(new String[] { "ou" }); ldapProvider.setUserDetailsContextMapper(userMapper); assertThat(ldapProvider.getAuthoritiesPopulator()).isNotNull(); - UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken("ben", + UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated("ben", "benspassword"); Object authDetails = new Object(); authRequest.setDetails(authDetails); @@ -121,7 +123,7 @@ public void passwordIsSetFromUserDataIfUseAuthenticationRequestCredentialsIsFals LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(new MockAuthenticator(), new MockAuthoritiesPopulator()); ldapProvider.setUseAuthenticationRequestCredentials(false); - UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken("ben", + UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated("ben", "benspassword"); Authentication authResult = ldapProvider.authenticate(authRequest); assertThat(authResult.getCredentials()).isEqualTo("{SHA}nFCebWjxfaLbHHG1Qk5UU4trbvQ="); @@ -133,7 +135,7 @@ public void useWithNullAuthoritiesPopulatorReturnsCorrectRole() { LdapUserDetailsMapper userMapper = new LdapUserDetailsMapper(); userMapper.setRoleAttributes(new String[] { "ou" }); ldapProvider.setUserDetailsContextMapper(userMapper); - UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken("ben", + UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated("ben", "benspassword"); UserDetails user = (UserDetails) ldapProvider.authenticate(authRequest).getPrincipal(); assertThat(user.getAuthorities()).hasSize(1); @@ -142,7 +144,7 @@ public void useWithNullAuthoritiesPopulatorReturnsCorrectRole() { @Test public void authenticateWithNamingException() { - UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken("ben", + UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated("ben", "benspassword"); LdapAuthenticator mockAuthenticator = mock(LdapAuthenticator.class); CommunicationException expectedCause = new CommunicationException(new javax.naming.CommunicationException()); diff --git a/ldap/src/test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorMockTests.java b/ldap/src/test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorMockTests.java index 3cc38176eb4..ec5432367c7 100644 --- a/ldap/src/test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorMockTests.java +++ b/ldap/src/test/java/org/springframework/security/ldap/authentication/PasswordComparisonAuthenticatorMockTests.java @@ -53,7 +53,7 @@ public void ldapCompareOperationIsUsedWhenPasswordIsNotRetrieved() throws Except final NamingEnumeration searchResults = new BasicAttributes("", null).getAll(); given(dirCtx.search(eq("cn=Bob,ou=people"), eq("(userPassword={0})"), any(Object[].class), any(SearchControls.class))).willReturn(searchResults); - authenticator.authenticate(new UsernamePasswordAuthenticationToken("Bob", "bobspassword")); + authenticator.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("Bob", "bobspassword")); } } diff --git a/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java b/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java index 4d0a5bc2a6c..e0d28f9392e 100644 --- a/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java +++ b/ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -68,7 +68,7 @@ public class ActiveDirectoryLdapAuthenticationProviderTests { ActiveDirectoryLdapAuthenticationProvider provider; - UsernamePasswordAuthenticationToken joe = new UsernamePasswordAuthenticationToken("joe", "password"); + UsernamePasswordAuthenticationToken joe = UsernamePasswordAuthenticationToken.unauthenticated("joe", "password"); @BeforeEach public void setUp() { @@ -162,7 +162,7 @@ public void nullDomainIsSupportedIfAuthenticatingWithFullUserPrincipal() throws any(SearchControls.class))).willReturn(new MockNamingEnumeration(sr)); this.provider.contextFactory = createContextFactoryReturning(ctx); assertThatExceptionOfType(BadCredentialsException.class).isThrownBy(() -> this.provider.authenticate(this.joe)); - this.provider.authenticate(new UsernamePasswordAuthenticationToken("joe@mydomain.eu", "password")); + this.provider.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("joe@mydomain.eu", "password")); } @Test @@ -189,8 +189,8 @@ public void noUserSearchCausesUsernameNotFound() throws Exception { // SEC-2500 @Test public void sec2500PreventAnonymousBind() { - assertThatExceptionOfType(BadCredentialsException.class) - .isThrownBy(() -> this.provider.authenticate(new UsernamePasswordAuthenticationToken("rwinch", ""))); + assertThatExceptionOfType(BadCredentialsException.class).isThrownBy( + () -> this.provider.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("rwinch", ""))); } @Test diff --git a/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationProviderTests.java b/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationProviderTests.java index 2bc034861d4..8a90e415974 100644 --- a/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationProviderTests.java +++ b/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationProviderTests.java @@ -162,7 +162,8 @@ public void testDoesntSupport() { public void testIgnoresUserPassAuthToken() { OpenIDAuthenticationProvider provider = new OpenIDAuthenticationProvider(); provider.setUserDetailsService(new MockUserDetailsService()); - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(USERNAME, "password"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(USERNAME, + "password"); assertThat(provider.authenticate(token)).isNull(); } diff --git a/remoting/src/main/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocation.java b/remoting/src/main/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocation.java index a6f526909ed..078d819823d 100644 --- a/remoting/src/main/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocation.java +++ b/remoting/src/main/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocation.java @@ -118,7 +118,7 @@ public Object invoke(Object targetObject) * Creates the server-side authentication request object. */ protected Authentication createAuthenticationRequest(String principal, String credentials) { - return new UsernamePasswordAuthenticationToken(principal, credentials); + return UsernamePasswordAuthenticationToken.unauthenticated(principal, credentials); } } diff --git a/remoting/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java b/remoting/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java index 859ded84727..ef0df2cf8c1 100644 --- a/remoting/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java +++ b/remoting/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java @@ -48,7 +48,8 @@ public void tearDown() { @Test public void testNormalOperation() throws Exception { // Setup client-side context - Authentication clientSideAuthentication = new UsernamePasswordAuthenticationToken("Aladdin", "open sesame"); + Authentication clientSideAuthentication = UsernamePasswordAuthenticationToken.unauthenticated("Aladdin", + "open sesame"); SecurityContextHolder.getContext().setAuthentication(clientSideAuthentication); // Create a connection and ensure our executor sets its // properties correctly diff --git a/remoting/src/test/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocationTests.java b/remoting/src/test/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocationTests.java index ed37bc00a9e..facd4cea0f4 100644 --- a/remoting/src/test/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocationTests.java +++ b/remoting/src/test/java/org/springframework/security/remoting/rmi/ContextPropagatingRemoteInvocationTests.java @@ -56,7 +56,7 @@ private ContextPropagatingRemoteInvocation getRemoteInvocation() throws Exceptio @Test public void testContextIsResetEvenIfExceptionOccurs() throws Exception { // Setup client-side context - Authentication clientSideAuthentication = new UsernamePasswordAuthenticationToken("rod", "koala"); + Authentication clientSideAuthentication = UsernamePasswordAuthenticationToken.unauthenticated("rod", "koala"); SecurityContextHolder.getContext().setAuthentication(clientSideAuthentication); ContextPropagatingRemoteInvocation remoteInvocation = getRemoteInvocation(); // Set up the wrong arguments. @@ -70,7 +70,7 @@ public void testContextIsResetEvenIfExceptionOccurs() throws Exception { @Test public void testNormalOperation() throws Exception { // Setup client-side context - Authentication clientSideAuthentication = new UsernamePasswordAuthenticationToken("rod", "koala"); + Authentication clientSideAuthentication = UsernamePasswordAuthenticationToken.unauthenticated("rod", "koala"); SecurityContextHolder.getContext().setAuthentication(clientSideAuthentication); ContextPropagatingRemoteInvocation remoteInvocation = getRemoteInvocation(); // Set to null, as ContextPropagatingRemoteInvocation already obtained @@ -95,7 +95,7 @@ public void testNullContextHolderDoesNotCauseInvocationProblems() throws Excepti // SEC-1867 @Test public void testNullCredentials() throws Exception { - Authentication clientSideAuthentication = new UsernamePasswordAuthenticationToken("rod", null); + Authentication clientSideAuthentication = UsernamePasswordAuthenticationToken.unauthenticated("rod", null); SecurityContextHolder.getContext().setAuthentication(clientSideAuthentication); ContextPropagatingRemoteInvocation remoteInvocation = getRemoteInvocation(); assertThat(ReflectionTestUtils.getField(remoteInvocation, "credentials")).isNull(); diff --git a/rsocket/src/main/java/org/springframework/security/rsocket/authentication/AuthenticationPayloadExchangeConverter.java b/rsocket/src/main/java/org/springframework/security/rsocket/authentication/AuthenticationPayloadExchangeConverter.java index b804004ae58..bbe90e5eb83 100644 --- a/rsocket/src/main/java/org/springframework/security/rsocket/authentication/AuthenticationPayloadExchangeConverter.java +++ b/rsocket/src/main/java/org/springframework/security/rsocket/authentication/AuthenticationPayloadExchangeConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 the original author or authors. + * Copyright 2019-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -96,7 +96,7 @@ private Authentication simple(ByteBuf rawAuthentication) { String username = rawUsername.toString(StandardCharsets.UTF_8); ByteBuf rawPassword = AuthMetadataCodec.readPassword(rawAuthentication); String password = rawPassword.toString(StandardCharsets.UTF_8); - return new UsernamePasswordAuthenticationToken(username, password); + return UsernamePasswordAuthenticationToken.unauthenticated(username, password); } private Authentication bearer(ByteBuf rawAuthentication) { diff --git a/rsocket/src/main/java/org/springframework/security/rsocket/authentication/BasicAuthenticationPayloadExchangeConverter.java b/rsocket/src/main/java/org/springframework/security/rsocket/authentication/BasicAuthenticationPayloadExchangeConverter.java index 1a806c3bb80..0d3a9cc76d9 100644 --- a/rsocket/src/main/java/org/springframework/security/rsocket/authentication/BasicAuthenticationPayloadExchangeConverter.java +++ b/rsocket/src/main/java/org/springframework/security/rsocket/authentication/BasicAuthenticationPayloadExchangeConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2019 the original author or authors. + * Copyright 2019-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -49,9 +49,8 @@ public Mono convert(PayloadExchange exchange) { return Mono.fromCallable(() -> this.metadataExtractor.extract(exchange.getPayload(), this.metadataMimetype)) .flatMap((metadata) -> Mono .justOrEmpty(metadata.get(UsernamePasswordMetadata.BASIC_AUTHENTICATION_MIME_TYPE.toString()))) - .cast(UsernamePasswordMetadata.class) - .map((credentials) -> new UsernamePasswordAuthenticationToken(credentials.getUsername(), - credentials.getPassword())); + .cast(UsernamePasswordMetadata.class).map((credentials) -> UsernamePasswordAuthenticationToken + .unauthenticated(credentials.getUsername(), credentials.getPassword())); } private static MetadataExtractor createDefaultExtractor() { diff --git a/rsocket/src/test/java/org/springframework/security/rsocket/authentication/AuthenticationPayloadInterceptorTests.java b/rsocket/src/test/java/org/springframework/security/rsocket/authentication/AuthenticationPayloadInterceptorTests.java index c622ef7cc8f..82495f2cb96 100644 --- a/rsocket/src/test/java/org/springframework/security/rsocket/authentication/AuthenticationPayloadInterceptorTests.java +++ b/rsocket/src/test/java/org/springframework/security/rsocket/authentication/AuthenticationPayloadInterceptorTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2019 the original author or authors. + * Copyright 2019-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -89,8 +89,8 @@ public void interceptWhenBasicCredentialsThenAuthenticates() { interceptor.intercept(exchange, authenticationPayloadChain).block(); Authentication authentication = authenticationPayloadChain.getAuthentication(); verify(this.authenticationManager).authenticate(this.authenticationArg.capture()); - assertThat(this.authenticationArg.getValue()) - .isEqualToComparingFieldByField(new UsernamePasswordAuthenticationToken("user", "password")); + assertThat(this.authenticationArg.getValue()).isEqualToComparingFieldByField( + UsernamePasswordAuthenticationToken.unauthenticated("user", "password")); assertThat(authentication).isEqualTo(expectedAuthentication); } diff --git a/test/src/main/java/org/springframework/security/test/context/support/WithMockUserSecurityContextFactory.java b/test/src/main/java/org/springframework/security/test/context/support/WithMockUserSecurityContextFactory.java index 513723c1f13..323e1306803 100644 --- a/test/src/main/java/org/springframework/security/test/context/support/WithMockUserSecurityContextFactory.java +++ b/test/src/main/java/org/springframework/security/test/context/support/WithMockUserSecurityContextFactory.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -58,8 +58,8 @@ else if (!(withUser.roles().length == 1 && "USER".equals(withUser.roles()[0]))) + " with authorities attribute " + Arrays.asList(withUser.authorities())); } User principal = new User(username, withUser.password(), true, true, true, true, grantedAuthorities); - Authentication authentication = new UsernamePasswordAuthenticationToken(principal, principal.getPassword(), - principal.getAuthorities()); + Authentication authentication = UsernamePasswordAuthenticationToken.authenticated(principal, + principal.getPassword(), principal.getAuthorities()); SecurityContext context = SecurityContextHolder.createEmptyContext(); context.setAuthentication(authentication); return context; diff --git a/test/src/main/java/org/springframework/security/test/context/support/WithUserDetailsSecurityContextFactory.java b/test/src/main/java/org/springframework/security/test/context/support/WithUserDetailsSecurityContextFactory.java index cabc9e348bc..b9d6b7ce537 100644 --- a/test/src/main/java/org/springframework/security/test/context/support/WithUserDetailsSecurityContextFactory.java +++ b/test/src/main/java/org/springframework/security/test/context/support/WithUserDetailsSecurityContextFactory.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -59,8 +59,8 @@ public SecurityContext createSecurityContext(WithUserDetails withUser) { String username = withUser.value(); Assert.hasLength(username, "value() must be non empty String"); UserDetails principal = userDetailsService.loadUserByUsername(username); - Authentication authentication = new UsernamePasswordAuthenticationToken(principal, principal.getPassword(), - principal.getAuthorities()); + Authentication authentication = UsernamePasswordAuthenticationToken.authenticated(principal, + principal.getPassword(), principal.getAuthorities()); SecurityContext context = SecurityContextHolder.createEmptyContext(); context.setAuthentication(authentication); return context; diff --git a/test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java b/test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java index c77a889f8f1..174a3188799 100644 --- a/test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java +++ b/test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -134,8 +134,8 @@ public static T mockA * @return the configurer to use */ public static T mockUser(UserDetails userDetails) { - return mockAuthentication(new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword(), - userDetails.getAuthorities())); + return mockAuthentication(UsernamePasswordAuthenticationToken.authenticated(userDetails, + userDetails.getPassword(), userDetails.getAuthorities())); } /** diff --git a/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java b/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java index 3d9322a928c..33c2db2066c 100644 --- a/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java +++ b/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -872,7 +872,7 @@ private static final class UserDetailsRequestPostProcessor implements RequestPos private final RequestPostProcessor delegate; UserDetailsRequestPostProcessor(UserDetails user) { - Authentication token = new UsernamePasswordAuthenticationToken(user, user.getPassword(), + Authentication token = UsernamePasswordAuthenticationToken.authenticated(user, user.getPassword(), user.getAuthorities()); this.delegate = new AuthenticationRequestPostProcessor(token); } diff --git a/test/src/test/java/org/springframework/security/test/context/showcase/WithMockCustomUserSecurityContextFactory.java b/test/src/test/java/org/springframework/security/test/context/showcase/WithMockCustomUserSecurityContextFactory.java index d174584cb1a..79f59ded86b 100644 --- a/test/src/test/java/org/springframework/security/test/context/showcase/WithMockCustomUserSecurityContextFactory.java +++ b/test/src/test/java/org/springframework/security/test/context/showcase/WithMockCustomUserSecurityContextFactory.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,7 +31,7 @@ public class WithMockCustomUserSecurityContextFactory implements WithSecurityCon public SecurityContext createSecurityContext(WithMockCustomUser customUser) { SecurityContext context = SecurityContextHolder.createEmptyContext(); CustomUserDetails principal = new CustomUserDetails(customUser.name(), customUser.username()); - Authentication auth = new UsernamePasswordAuthenticationToken(principal, "password", + Authentication auth = UsernamePasswordAuthenticationToken.authenticated(principal, "password", principal.getAuthorities()); context.setAuthentication(auth); return context; diff --git a/web/src/main/java/org/springframework/security/web/authentication/UsernamePasswordAuthenticationFilter.java b/web/src/main/java/org/springframework/security/web/authentication/UsernamePasswordAuthenticationFilter.java index e1a444594fb..67e1f4e0c0e 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/UsernamePasswordAuthenticationFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/UsernamePasswordAuthenticationFilter.java @@ -79,7 +79,8 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ username = username.trim(); String password = obtainPassword(request); password = (password != null) ? password : ""; - UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); + UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated(username, + password); // Allow subclasses to set the "details" property setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest); diff --git a/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java b/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java index cd716fbfe5a..737aa6a9ea9 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java @@ -297,7 +297,8 @@ private UsernamePasswordAuthenticationToken createSwitchUserToken(HttpServletReq List newAuths = new ArrayList<>(orig); newAuths.add(switchAuthority); // create the new authentication token - targetUserRequest = new UsernamePasswordAuthenticationToken(targetUser, targetUser.getPassword(), newAuths); + targetUserRequest = UsernamePasswordAuthenticationToken.authenticated(targetUser, targetUser.getPassword(), + newAuths); // set details targetUserRequest.setDetails(this.authenticationDetailsSource.buildDetails(request)); return targetUserRequest; diff --git a/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverter.java b/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverter.java index 2e39a676245..f7aae1c84aa 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -94,8 +94,8 @@ public UsernamePasswordAuthenticationToken convert(HttpServletRequest request) { if (delim == -1) { throw new BadCredentialsException("Invalid basic authentication token"); } - UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(token.substring(0, delim), - token.substring(delim + 1)); + UsernamePasswordAuthenticationToken result = UsernamePasswordAuthenticationToken + .unauthenticated(token.substring(0, delim), token.substring(delim + 1)); result.setDetails(this.authenticationDetailsSource.buildDetails(request)); return result; } diff --git a/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java b/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java index 21efe4f5f8e..730df97a8cb 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java @@ -203,9 +203,9 @@ private Authentication createSuccessfulAuthentication(HttpServletRequest request private UsernamePasswordAuthenticationToken getAuthRequest(UserDetails user) { if (this.createAuthenticatedToken) { - return new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities()); + return UsernamePasswordAuthenticationToken.authenticated(user, user.getPassword(), user.getAuthorities()); } - return new UsernamePasswordAuthenticationToken(user, user.getPassword()); + return UsernamePasswordAuthenticationToken.unauthenticated(user, user.getPassword()); } private void fail(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) diff --git a/web/src/main/java/org/springframework/security/web/server/ServerFormLoginAuthenticationConverter.java b/web/src/main/java/org/springframework/security/web/server/ServerFormLoginAuthenticationConverter.java index 9d538ad0aa4..01fa28c6b09 100644 --- a/web/src/main/java/org/springframework/security/web/server/ServerFormLoginAuthenticationConverter.java +++ b/web/src/main/java/org/springframework/security/web/server/ServerFormLoginAuthenticationConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -52,7 +52,7 @@ public Mono apply(ServerWebExchange exchange) { private UsernamePasswordAuthenticationToken createAuthentication(MultiValueMap data) { String username = data.getFirst(this.usernameParameter); String password = data.getFirst(this.passwordParameter); - return new UsernamePasswordAuthenticationToken(username, password); + return UsernamePasswordAuthenticationToken.unauthenticated(username, password); } /** diff --git a/web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java b/web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java index 3f58b31ec7c..db33e5e107d 100644 --- a/web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java +++ b/web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -58,7 +58,7 @@ public Mono apply(ServerWebExchange exchange) { if (parts.length != 2) { return Mono.empty(); } - return Mono.just(new UsernamePasswordAuthenticationToken(parts[0], parts[1])); + return Mono.just(UsernamePasswordAuthenticationToken.unauthenticated(parts[0], parts[1])); } private byte[] base64Decode(String value) { diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/SwitchUserWebFilter.java b/web/src/main/java/org/springframework/security/web/server/authentication/SwitchUserWebFilter.java index 000b0caaa40..cb1ae04807f 100644 --- a/web/src/main/java/org/springframework/security/web/server/authentication/SwitchUserWebFilter.java +++ b/web/src/main/java/org/springframework/security/web/server/authentication/SwitchUserWebFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -261,7 +261,7 @@ private Authentication createSwitchUserToken(UserDetails targetUser, Authenticat Collection targetUserAuthorities = targetUser.getAuthorities(); List extendedTargetUserAuthorities = new ArrayList<>(targetUserAuthorities); extendedTargetUserAuthorities.add(switchAuthority); - return new UsernamePasswordAuthenticationToken(targetUser, targetUser.getPassword(), + return UsernamePasswordAuthenticationToken.authenticated(targetUser, targetUser.getPassword(), extendedTargetUserAuthorities); } diff --git a/web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java b/web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java index ed6208b9385..57853a39b84 100644 --- a/web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java +++ b/web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -237,8 +237,8 @@ public void login(String username, String password) throws ServletException { private Authentication getAuthentication(AuthenticationManager authManager, String username, String password) throws ServletException { try { - UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(username, - password); + UsernamePasswordAuthenticationToken authentication = UsernamePasswordAuthenticationToken + .unauthenticated(username, password); Object details = HttpServlet3RequestFactory.this.authenticationDetailsSource.buildDetails(this); authentication.setDetails(details); return authManager.authenticate(authentication); diff --git a/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java index c41c12eab80..7a84fbee064 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java @@ -440,7 +440,7 @@ private MockAuthenticationFilter(RequestMatcher requiresAuthenticationRequestMat public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { if (this.grantAccess) { - return new UsernamePasswordAuthenticationToken("test", "test", + return UsernamePasswordAuthenticationToken.authenticated("test", "test", AuthorityUtils.createAuthorityList("TEST")); } else { diff --git a/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java index d32323c4e72..1332ed4fe7f 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -251,8 +251,8 @@ public void requiresAuthenticationFalsePrincipalNotString() throws Exception { @Test public void requiresAuthenticationFalsePrincipalUser() throws Exception { User currentPrincipal = new User("user", "password", AuthorityUtils.createAuthorityList("ROLE_USER")); - UsernamePasswordAuthenticationToken currentAuthentication = new UsernamePasswordAuthenticationToken( - currentPrincipal, currentPrincipal.getPassword(), currentPrincipal.getAuthorities()); + UsernamePasswordAuthenticationToken currentAuthentication = UsernamePasswordAuthenticationToken + .authenticated(currentPrincipal, currentPrincipal.getPassword(), currentPrincipal.getAuthorities()); SecurityContextHolder.getContext().setAuthentication(currentAuthentication); MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletResponse response = new MockHttpServletResponse(); diff --git a/web/src/test/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedAuthenticationProviderTests.java b/web/src/test/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedAuthenticationProviderTests.java index 671385b8f8e..b278c8c2ce2 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedAuthenticationProviderTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/preauth/PreAuthenticatedAuthenticationProviderTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -46,7 +46,7 @@ public final void afterPropertiesSet() { public final void authenticateInvalidToken() throws Exception { UserDetails ud = new User("dummyUser", "dummyPwd", true, true, true, true, AuthorityUtils.NO_AUTHORITIES); PreAuthenticatedAuthenticationProvider provider = getProvider(ud); - Authentication request = new UsernamePasswordAuthenticationToken("dummyUser", "dummyPwd"); + Authentication request = UsernamePasswordAuthenticationToken.unauthenticated("dummyUser", "dummyPwd"); Authentication result = provider.authenticate(request); assertThat(result).isNull(); } diff --git a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java index a8912f326a3..d788ca654cf 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -287,7 +287,7 @@ public void loginSuccessCallsOnLoginSuccessCorrectly() { MockRememberMeServices services = new MockRememberMeServices(this.uds); MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletResponse response = new MockHttpServletResponse(); - Authentication auth = new UsernamePasswordAuthenticationToken("joe", "password"); + Authentication auth = UsernamePasswordAuthenticationToken.unauthenticated("joe", "password"); // No parameter set services.loginSuccess(request, response, auth); assertThat(services.loginSuccessCalled).isFalse(); diff --git a/web/src/test/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServicesTests.java b/web/src/test/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServicesTests.java index b79ef32f09a..d6753c60cb4 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServicesTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServicesTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -108,7 +108,7 @@ public void loginSuccessCreatesNewTokenAndCookieWithNewSeries() { this.services.setSeriesLength(12); MockHttpServletResponse response = new MockHttpServletResponse(); this.services.loginSuccess(new MockHttpServletRequest(), response, - new UsernamePasswordAuthenticationToken("joe", "password")); + UsernamePasswordAuthenticationToken.unauthenticated("joe", "password")); assertThat(this.repo.getStoredToken().getSeries().length()).isEqualTo(16); assertThat(this.repo.getStoredToken().getTokenValue().length()).isEqualTo(16); String[] cookie = this.services.decodeCookie(response.getCookie("mycookiename").getValue()); diff --git a/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java index 1c9f5eaef45..8959f099bac 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java @@ -66,7 +66,8 @@ public class SwitchUserFilterTests { @BeforeEach public void authenticateCurrentUser() { - UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50"); + UsernamePasswordAuthenticationToken auth = UsernamePasswordAuthenticationToken.unauthenticated("dano", + "hawaii50"); SecurityContextHolder.getContext().setAuthentication(auth); } @@ -278,14 +279,14 @@ public void defaultProcessesFilterUrlMatchesUrlWithPathParameter() { @Test public void exitUserJackLordToDanoSucceeds() throws Exception { // original user - UsernamePasswordAuthenticationToken source = new UsernamePasswordAuthenticationToken("dano", "hawaii50", - ROLES_12); + UsernamePasswordAuthenticationToken source = UsernamePasswordAuthenticationToken.authenticated("dano", + "hawaii50", ROLES_12); // set current user (Admin) List adminAuths = new ArrayList<>(); adminAuths.addAll(ROLES_12); adminAuths.add(new SwitchUserGrantedAuthority("PREVIOUS_ADMINISTRATOR", source)); - UsernamePasswordAuthenticationToken admin = new UsernamePasswordAuthenticationToken("jacklord", "hawaii50", - adminAuths); + UsernamePasswordAuthenticationToken admin = UsernamePasswordAuthenticationToken.authenticated("jacklord", + "hawaii50", adminAuths); SecurityContextHolder.getContext().setAuthentication(admin); MockHttpServletRequest request = createMockSwitchRequest(); request.setRequestURI("/logout/impersonate"); @@ -343,7 +344,8 @@ public void redirectToTargetUrlIsCorrect() throws Exception { @Test public void redirectOmitsContextPathIfUseRelativeContextSet() throws Exception { // set current user - UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50"); + UsernamePasswordAuthenticationToken auth = UsernamePasswordAuthenticationToken.unauthenticated("dano", + "hawaii50"); SecurityContextHolder.getContext().setAuthentication(auth); MockHttpServletRequest request = createMockSwitchRequest(); request.setContextPath("/webapp"); @@ -368,7 +370,8 @@ public void redirectOmitsContextPathIfUseRelativeContextSet() throws Exception { @Test public void testSwitchRequestFromDanoToJackLord() throws Exception { // set current user - UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50"); + UsernamePasswordAuthenticationToken auth = UsernamePasswordAuthenticationToken.unauthenticated("dano", + "hawaii50"); SecurityContextHolder.getContext().setAuthentication(auth); // http request MockHttpServletRequest request = new MockHttpServletRequest(); @@ -395,7 +398,8 @@ public void testSwitchRequestFromDanoToJackLord() throws Exception { @Test public void modificationOfAuthoritiesWorks() { - UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("dano", "hawaii50"); + UsernamePasswordAuthenticationToken auth = UsernamePasswordAuthenticationToken.unauthenticated("dano", + "hawaii50"); SecurityContextHolder.getContext().setAuthentication(auth); MockHttpServletRequest request = new MockHttpServletRequest(); request.addParameter(SwitchUserFilter.SPRING_SECURITY_SWITCH_USERNAME_KEY, "jacklord"); @@ -416,8 +420,8 @@ public void modificationOfAuthoritiesWorks() { @Test public void nestedSwitchesAreNotAllowed() { // original user - UsernamePasswordAuthenticationToken source = new UsernamePasswordAuthenticationToken("orig", "hawaii50", - ROLES_12); + UsernamePasswordAuthenticationToken source = UsernamePasswordAuthenticationToken.authenticated("orig", + "hawaii50", ROLES_12); SecurityContextHolder.getContext().setAuthentication(source); SecurityContextHolder.getContext().setAuthentication(switchToUser("jacklord")); Authentication switched = switchToUser("dano"); @@ -444,8 +448,8 @@ public void switchAuthorityRoleCannotBeNull() { public void switchAuthorityRoleCanBeChanged() { String switchAuthorityRole = "PREVIOUS_ADMINISTRATOR"; // original user - UsernamePasswordAuthenticationToken source = new UsernamePasswordAuthenticationToken("orig", "hawaii50", - ROLES_12); + UsernamePasswordAuthenticationToken source = UsernamePasswordAuthenticationToken.authenticated("orig", + "hawaii50", ROLES_12); SecurityContextHolder.getContext().setAuthentication(source); SecurityContextHolder.getContext().setAuthentication(switchToUser("jacklord")); Authentication switched = switchToUserWithAuthorityRole("dano", switchAuthorityRole); diff --git a/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java index 13b265b8e00..2a0e66ba1b8 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java @@ -64,9 +64,10 @@ public class BasicAuthenticationFilterTests { @BeforeEach public void setUp() { SecurityContextHolder.clearContext(); - UsernamePasswordAuthenticationToken rodRequest = new UsernamePasswordAuthenticationToken("rod", "koala"); + UsernamePasswordAuthenticationToken rodRequest = UsernamePasswordAuthenticationToken.unauthenticated("rod", + "koala"); rodRequest.setDetails(new WebAuthenticationDetails(new MockHttpServletRequest())); - Authentication rod = new UsernamePasswordAuthenticationToken("rod", "koala", + Authentication rod = UsernamePasswordAuthenticationToken.authenticated("rod", "koala", AuthorityUtils.createAuthorityList("ROLE_1")); this.manager = mock(AuthenticationManager.class); given(this.manager.authenticate(rodRequest)).willReturn(rod); @@ -271,9 +272,10 @@ public void skippedOnErrorDispatch() throws Exception { @Test public void doFilterWhenTokenAndFilterCharsetMatchDefaultThenAuthenticated() throws Exception { SecurityContextHolder.clearContext(); - UsernamePasswordAuthenticationToken rodRequest = new UsernamePasswordAuthenticationToken("rod", "äöü"); + UsernamePasswordAuthenticationToken rodRequest = UsernamePasswordAuthenticationToken.unauthenticated("rod", + "äöü"); rodRequest.setDetails(new WebAuthenticationDetails(new MockHttpServletRequest())); - Authentication rod = new UsernamePasswordAuthenticationToken("rod", "äöü", + Authentication rod = UsernamePasswordAuthenticationToken.authenticated("rod", "äöü", AuthorityUtils.createAuthorityList("ROLE_1")); this.manager = mock(AuthenticationManager.class); given(this.manager.authenticate(rodRequest)).willReturn(rod); @@ -298,9 +300,10 @@ public void doFilterWhenTokenAndFilterCharsetMatchDefaultThenAuthenticated() thr @Test public void doFilterWhenTokenAndFilterCharsetMatchNonDefaultThenAuthenticated() throws Exception { SecurityContextHolder.clearContext(); - UsernamePasswordAuthenticationToken rodRequest = new UsernamePasswordAuthenticationToken("rod", "äöü"); + UsernamePasswordAuthenticationToken rodRequest = UsernamePasswordAuthenticationToken.unauthenticated("rod", + "äöü"); rodRequest.setDetails(new WebAuthenticationDetails(new MockHttpServletRequest())); - Authentication rod = new UsernamePasswordAuthenticationToken("rod", "äöü", + Authentication rod = UsernamePasswordAuthenticationToken.authenticated("rod", "äöü", AuthorityUtils.createAuthorityList("ROLE_1")); this.manager = mock(AuthenticationManager.class); given(this.manager.authenticate(rodRequest)).willReturn(rod); @@ -326,9 +329,10 @@ public void doFilterWhenTokenAndFilterCharsetMatchNonDefaultThenAuthenticated() @Test public void doFilterWhenTokenAndFilterCharsetDoNotMatchThenUnauthorized() throws Exception { SecurityContextHolder.clearContext(); - UsernamePasswordAuthenticationToken rodRequest = new UsernamePasswordAuthenticationToken("rod", "äöü"); + UsernamePasswordAuthenticationToken rodRequest = UsernamePasswordAuthenticationToken.unauthenticated("rod", + "äöü"); rodRequest.setDetails(new WebAuthenticationDetails(new MockHttpServletRequest())); - Authentication rod = new UsernamePasswordAuthenticationToken("rod", "äöü", + Authentication rod = UsernamePasswordAuthenticationToken.authenticated("rod", "äöü", AuthorityUtils.createAuthorityList("ROLE_1")); this.manager = mock(AuthenticationManager.class); given(this.manager.authenticate(rodRequest)).willReturn(rod); diff --git a/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java b/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java index e8856f59a1a..1f24ef2c866 100644 --- a/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java +++ b/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -726,7 +726,7 @@ public void saveContextWhenSecurityContextAuthenticationUpdatedToNullThenSkipped } private SecurityContext createSecurityContext(UserDetails userDetails) { - UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(userDetails, + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated(userDetails, userDetails.getPassword(), userDetails.getAuthorities()); SecurityContext securityContext = new SecurityContextImpl(token); return securityContext; diff --git a/web/src/test/java/org/springframework/security/web/server/authentication/SwitchUserWebFilterTests.java b/web/src/test/java/org/springframework/security/web/server/authentication/SwitchUserWebFilterTests.java index 527d90345d0..4e7609f3031 100644 --- a/web/src/test/java/org/springframework/security/web/server/authentication/SwitchUserWebFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/server/authentication/SwitchUserWebFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -110,7 +110,7 @@ public void switchUser() { final MockServerWebExchange exchange = MockServerWebExchange .from(MockServerHttpRequest.post("/login/impersonate?username={targetUser}", targetUsername)); final WebFilterChain chain = mock(WebFilterChain.class); - final Authentication originalAuthentication = new UsernamePasswordAuthenticationToken("principal", + final Authentication originalAuthentication = UsernamePasswordAuthenticationToken.unauthenticated("principal", "credentials"); final SecurityContextImpl securityContext = new SecurityContextImpl(originalAuthentication); given(this.userDetailsService.findByUsername(targetUsername)).willReturn(Mono.just(switchUserDetails)); @@ -143,12 +143,12 @@ public void switchUser() { @Test public void switchUserWhenUserAlreadySwitchedThenExitSwitchAndSwitchAgain() { - final Authentication originalAuthentication = new UsernamePasswordAuthenticationToken("origPrincipal", - "origCredentials"); + final Authentication originalAuthentication = UsernamePasswordAuthenticationToken + .unauthenticated("origPrincipal", "origCredentials"); final GrantedAuthority switchAuthority = new SwitchUserGrantedAuthority( SwitchUserWebFilter.ROLE_PREVIOUS_ADMINISTRATOR, originalAuthentication); - final Authentication switchUserAuthentication = new UsernamePasswordAuthenticationToken("switchPrincipal", - "switchCredentials", Collections.singleton(switchAuthority)); + final Authentication switchUserAuthentication = UsernamePasswordAuthenticationToken + .authenticated("switchPrincipal", "switchCredentials", Collections.singleton(switchAuthority)); final SecurityContextImpl securityContext = new SecurityContextImpl(switchUserAuthentication); final String targetUsername = "newSwitchPrincipal"; final MockServerWebExchange exchange = MockServerWebExchange @@ -228,12 +228,12 @@ public void switchUserWhenFailureHandlerNotDefinedThenReturnError() { public void exitSwitchThenReturnToOriginalAuthentication() { final MockServerWebExchange exchange = MockServerWebExchange .from(MockServerHttpRequest.post("/logout/impersonate")); - final Authentication originalAuthentication = new UsernamePasswordAuthenticationToken("origPrincipal", - "origCredentials"); + final Authentication originalAuthentication = UsernamePasswordAuthenticationToken + .unauthenticated("origPrincipal", "origCredentials"); final GrantedAuthority switchAuthority = new SwitchUserGrantedAuthority( SwitchUserWebFilter.ROLE_PREVIOUS_ADMINISTRATOR, originalAuthentication); - final Authentication switchUserAuthentication = new UsernamePasswordAuthenticationToken("switchPrincipal", - "switchCredentials", Collections.singleton(switchAuthority)); + final Authentication switchUserAuthentication = UsernamePasswordAuthenticationToken + .authenticated("switchPrincipal", "switchCredentials", Collections.singleton(switchAuthority)); final WebFilterChain chain = mock(WebFilterChain.class); final SecurityContextImpl securityContext = new SecurityContextImpl(switchUserAuthentication); given(this.serverSecurityContextRepository.save(eq(exchange), any(SecurityContext.class))) @@ -259,8 +259,8 @@ public void exitSwitchThenReturnToOriginalAuthentication() { public void exitSwitchWhenUserNotSwitchedThenThrowError() { final MockServerWebExchange exchange = MockServerWebExchange .from(MockServerHttpRequest.post("/logout/impersonate")); - final Authentication originalAuthentication = new UsernamePasswordAuthenticationToken("origPrincipal", - "origCredentials"); + final Authentication originalAuthentication = UsernamePasswordAuthenticationToken + .unauthenticated("origPrincipal", "origCredentials"); final WebFilterChain chain = mock(WebFilterChain.class); final SecurityContextImpl securityContext = new SecurityContextImpl(originalAuthentication); assertThatExceptionOfType(AuthenticationCredentialsNotFoundException.class).isThrownBy(() -> {