SEC-723: Change PreAuthenticatedAuthenticationProvider to reject authentication tokens with null credentials. Also introduced a property "throwExceptionWhenTokenIsRejected" which raises a BadCredentialsException when the toke is invalid.

core/src/main/java/org/springframework/security/providers/preauth/PreAuthenticatedAuthenticationProvider.java

@@ -3,6 +3,7 @@ package org.springframework.security.providers.preauth;
 import org.springframework.security.providers.AuthenticationProvider;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationException;
+import org.springframework.security.BadCredentialsException;
 import org.springframework.security.userdetails.UserDetails;
 import org.springframework.security.userdetails.UserDetailsChecker;
 import org.springframework.security.userdetails.checker.AccountStatusUserDetailsChecker;
@@ -32,7 +33,8 @@ public class PreAuthenticatedAuthenticationProvider implements AuthenticationPro
     private static final Log logger = LogFactory.getLog(PreAuthenticatedAuthenticationProvider.class);
 
     private AuthenticationUserDetailsService preAuthenticatedUserDetailsService = null;
-    private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker();    
+    private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker(); 
+    private boolean throwExceptionWhenTokenRejected = false;
 
     private int order = -1; // default: same as non-ordered
 
@@ -40,7 +42,7 @@ public class PreAuthenticatedAuthenticationProvider implements AuthenticationPro
      * Check whether all required properties have been set.
      */
     public void afterPropertiesSet() {
-        Assert.notNull(preAuthenticatedUserDetailsService, "A AuthenticationUserDetailsService must be set");
+        Assert.notNull(preAuthenticatedUserDetailsService, "An AuthenticationUserDetailsService must be set");
     }
 
     /**
@@ -58,11 +60,24 @@ public class PreAuthenticatedAuthenticationProvider implements AuthenticationPro
             logger.debug("PreAuthenticated authentication request: " + authentication);
         }
 
-        if(authentication.getPrincipal() == null) {
+        if (authentication.getPrincipal() == null) {
             logger.debug("No pre-authenticated principal found in request.");
+            
+            if (throwExceptionWhenTokenRejected) {
+                throw new BadCredentialsException("No pre-authenticated principal found in request.");
+            }
             return null;
         }
 
+        if (authentication.getCredentials() == null) {
+            logger.debug("No pre-authenticated credentials found in request.");
+
+            if (throwExceptionWhenTokenRejected) {
+                throw new BadCredentialsException("No pre-authenticated credentials found in request.");
+            }            
+            return null;
+        }
+        
         UserDetails ud = preAuthenticatedUserDetailsService.loadUserDetails(authentication);
 
         userDetailsChecker.check(ud);
@@ -98,4 +113,13 @@ public class PreAuthenticatedAuthenticationProvider implements AuthenticationPro
     public void setOrder(int i) {
         order = i;
     }
+
+    /** 
+     * If true, causes the provider to throw a BadCredentialsException if the presented authentication 
+     * request is invalid (contains a null principal or credentials). Otherwise it will just return 
+     * null.  
+     */    
+    public void setThrowExceptionWhenTokenRejected(boolean throwExceptionWhenTokenRejected) {
+        this.throwExceptionWhenTokenRejected = throwExceptionWhenTokenRejected;
+    }
 }