Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
3.3.3, 4.2.2
-
None
-
1
-
Severity 3 - Minor
-
0
-
Description
Issue Summary
CrowdAuthenticationProvider's supports() method rejects any authenticationTokens which have a non-null description. It should accept authenticationTokens that have a description (particularly UsernamePasswordAuthenticationTokens, else Username/Password authentication is never accepted by the CrowdAuthenticationProvider).
Steps to Reproduce
When debugging the auth process, inside the following method the authenticationToken.getDetails() doesn't return null, so it throws a false, which in turn causes the authenticate call to return null.
public boolean supports(AbstractAuthenticationToken authenticationToken) { return authenticationToken.getDetails() == null || authenticationToken.getDetails() instanceof CrowdSSOAuthenticationDetails; }
public Authentication authenticate(Authentication authentication) throws AuthenticationException { if (!this.supports(authentication.getClass())) { return null; } else if (!this.supports((AbstractAuthenticationToken)authentication)) { return null; } else { Authentication authenticatedToken = null; if (authentication instanceof UsernamePasswordAuthenticationToken) { logger.debug("Processing a UsernamePasswordAuthenticationToken"); authenticatedToken = this.authenticateUsernamePassword((UsernamePasswordAuthenticationToken)authentication); } else if (authentication instanceof CrowdSSOAuthenticationToken) { logger.debug("Processing a CrowdSSOAuthenticationToken"); authenticatedToken = this.authenticateCrowdSSO((CrowdSSOAuthenticationToken)authentication); } return authenticatedToken; } }
As a result the UI displays the following:
No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken
Expected Results
CrowdAuthenticationProvider should accept UsernamePasswordAuthenticationTokens
Actual Results
CrowdAuthenticationProvider does not accept UsernamePasswordAuthenticationTokens
Workaround
Users have been able to resolve the issue by replacing the implementation with authenticationToken.getDetails() != null, which is covered in the following Community post: