Details
-
Bug
-
Resolution: Fixed
-
Low
-
None
-
None
-
Severity 3 - Minor
-
Description
How DefaultHttpAuthenticationContext.onSuccess(user) leaves username unmodified. There are some cases when username is some control string, like 'x-oauth-token', and after authentication it get valid ApplicationUser from authentication system, but:
String username = context.getUsername() != null ? context.getUsername() : context.getUser().getName();
eventPublisher.publish(new AuthenticationSuccessEvent(this, username, context.getMethod()));
And this send event for user 'x-auth-token', that is not a valid user. But possible it must use user.getName() if getUser() is not null. Like this:
String username = context.getUser() != null ? context.getUser().getName() : context.getUsername();