[JWT security tutorial] Trusted UsernamePasswordAuthenticationToken constructor used before user is actually authenticated

[aml2610]

Hi Omar!

I was looking through the JWT security tutorial, very useful stuff!

I noticed something in the code that has potential to do harm. In your example JwtUsernameAndPasswordAuthenticationFilter.attemptAuthentication(), line 53, you call a UsernamePasswordAuthenticationToken constructor that should only be called when creating a trusted authentication object (e.g if creating it AFTER the user has actually authenticated) - see the spec here, check out the constructors.

This could cause very big issues if e.g authenticationManager.authenticate() checks if the authentication passed into it has authenticated = true and if so it doesn't attempt to do any checks, as the user might already be authenticated e.g by another filter (this I think is more or less something that could be done if you're chaining multiple authentication filters). If you have such functionality in, the user will be authenticated before any auth checks are actually done and authentication could be bypassed that way.

The fix is simple, just remove the third param (i.e the empty list of authorities) thus using the untrusted constructor.

Best
Andrei

[OmarElgabry]

Hi Andrei,

I'll look into that. Thank you.