SEC-134 fix. Authorities array is now copied on access. Also refactored token classes to move authorities to the base class.

core/src/main/java/org/acegisecurity/Authentication.java

@@ -96,6 +96,11 @@ public interface Authentication extends Principal, Serializable {
      * that the principal has been granted. Note that classes should not rely
      * on this value as being valid unless it has been set by a trusted
      * <code>AuthenticationManager</code>.
+     * <p>
+     * Implementations should ensure that modifications to the returned array
+     * do not affect the state of the Authentication object (e.g. by returning an
+     * array copy).
+     * </p>
      *
      * @return the authorities granted to the principal, or <code>null</code>
      *         if authentication has not been completed

core/src/main/java/org/acegisecurity/adapters/AbstractAdapterAuthenticationToken.java

@@ -29,13 +29,12 @@ public abstract class AbstractAdapterAuthenticationToken
     extends AbstractAuthenticationToken implements AuthByAdapter {
     //~ Instance fields ========================================================
 
-    private GrantedAuthority[] authorities;
     private int keyHash;
 
     //~ Constructors ===========================================================
 
     protected AbstractAdapterAuthenticationToken() {
-        super();
+        super(null);
     }
 
     /**
@@ -48,9 +47,8 @@ public abstract class AbstractAdapterAuthenticationToken
      */
     protected AbstractAdapterAuthenticationToken(String key,
         GrantedAuthority[] authorities) {
-        super();
+        super(authorities);
         this.keyHash = key.hashCode();
-        this.authorities = authorities;
     }
 
     //~ Methods ================================================================
@@ -73,10 +71,6 @@ public abstract class AbstractAdapterAuthenticationToken
         return true;
     }
 
-    public GrantedAuthority[] getAuthorities() {
-        return authorities;
-    }
-
     public int getKeyHash() {
         return this.keyHash;
     }
@@ -97,8 +91,10 @@ public abstract class AbstractAdapterAuthenticationToken
      *         <code>false</code> otherwise
      */
     public boolean isUserInRole(String role) {
-        for (int i = 0; i < this.authorities.length; i++) {
+        GrantedAuthority[] authorities = super.getAuthorities();
-            if (role.equals(this.authorities[i].getAuthority())) {
+
+        for (int i = 0; i < authorities.length; i++) {
+            if (role.equals(authorities[i].getAuthority())) {
                 return true;
             }
         }

core/src/main/java/org/acegisecurity/providers/AbstractAuthenticationToken.java

@@ -16,17 +16,59 @@
 package org.acegisecurity.providers;
 
 import org.acegisecurity.Authentication;
+import org.acegisecurity.GrantedAuthority;
 
 import org.acegisecurity.userdetails.UserDetails;
 
-
 /**
- * Provides a <code>String</code> representation of the Authentication token.
+ * Base class for Authentication objects.
+ * <p>
+ * Implementations which use this class should be immutable.
+ * </p>
  *
  * @author Ben Alex
+ * @author Luke Taylor
  * @version $Id$
  */
 public abstract class AbstractAuthenticationToken implements Authentication {
+
+    //~ Instance fields
+    private GrantedAuthority[] authorities;
+
+    //~ Constructors ===========================================================
+
+    /**
+     * Retained for compatibility with subclasses written before the
+     * <tt>AbstractAuthenticationToken(GrantedAuthority[])</tt> constructor
+     * was introduced.
+     *
+     * @deprecated in favour of the constructor which takes a GrantedAuthority[]
+     * argument. 
+     */
+    public AbstractAuthenticationToken() {
+
+    }
+
+    /**
+     * Creates a token with the supplied array of authorities.
+     *
+     * @param authorities the list of <tt>GrantedAuthority</tt>s for the principal
+     *                    represented by this authentication object. A null value
+     *                    indicates that no authorities have been granted.
+     */
+    public AbstractAuthenticationToken(GrantedAuthority[] authorities) {
+        if(authorities != null) {
+            for (int i = 0; i < authorities.length; i++) {
+                if(authorities[i] == null) {
+                    throw new IllegalArgumentException("Granted authority element " + i
+                        + " is null - GrantedAuthority[] cannot contain any null elements");
+                }
+            }
+        }
+
+        this.authorities = authorities;
+    }
+
     //~ Methods ================================================================
 
     public boolean equals(Object obj) {
@@ -53,8 +95,8 @@ public abstract class AbstractAuthenticationToken implements Authentication {
             }
 
             return (this.getPrincipal().equals(test.getPrincipal())
-            && this.getCredentials().equals(test.getCredentials())
+                && this.getCredentials().equals(test.getCredentials())
-            && (this.isAuthenticated() == test.isAuthenticated()));
+                && (this.isAuthenticated() == test.isAuthenticated()));
         }
 
         return false;
@@ -78,6 +120,17 @@ public abstract class AbstractAuthenticationToken implements Authentication {
         return this.getPrincipal().toString();
     }
 
+    public GrantedAuthority[] getAuthorities() {
+        if(authorities == null) {
+            return null;
+        }
+
+        GrantedAuthority[] copy = new GrantedAuthority[authorities.length];
+        System.arraycopy(authorities, 0, copy, 0, authorities.length);
+
+        return copy;
+    }
+
     public int hashCode() {
         int code = 2305;
 

core/src/main/java/org/acegisecurity/providers/TestingAuthenticationToken.java

@@ -35,20 +35,15 @@ public class TestingAuthenticationToken extends AbstractAuthenticationToken {
 
     private Object credentials;
     private Object principal;
-    private GrantedAuthority[] authorities;
     private boolean authenticated = false;
 
     //~ Constructors ===========================================================
 
     public TestingAuthenticationToken(Object principal, Object credentials,
         GrantedAuthority[] authorities) {
+        super(authorities);
         this.principal = principal;
         this.credentials = credentials;
-        this.authorities = authorities;
-    }
-
-    protected TestingAuthenticationToken() {
-        throw new IllegalArgumentException("Cannot use default constructor");
     }
 
     //~ Methods ================================================================
@@ -61,10 +56,6 @@ public class TestingAuthenticationToken extends AbstractAuthenticationToken {
         return this.authenticated;
     }
 
-    public GrantedAuthority[] getAuthorities() {
-        return this.authorities;
-    }
-
     public Object getCredentials() {
         return this.credentials;
     }

core/src/main/java/org/acegisecurity/providers/UsernamePasswordAuthenticationToken.java

@@ -39,7 +39,6 @@ public class UsernamePasswordAuthenticationToken
     private Object credentials;
     private Object details = null;
     private Object principal;
-    private GrantedAuthority[] authorities;
     private boolean authenticated;
 
     //~ Constructors ===========================================================
@@ -54,6 +53,7 @@ public class UsernamePasswordAuthenticationToken
      */
     public UsernamePasswordAuthenticationToken(Object principal,
         Object credentials) {
+        super(null);
         this.principal = principal;
         this.credentials = credentials;
         this.authenticated = false;
@@ -72,9 +72,9 @@ public class UsernamePasswordAuthenticationToken
      */
     public UsernamePasswordAuthenticationToken(Object principal,
         Object credentials, GrantedAuthority[] authorities) {
+        super(authorities);
         this.principal = principal;
         this.credentials = credentials;
-        this.authorities = authorities;
         this.authenticated = true;
     }
 
@@ -94,10 +94,6 @@ public class UsernamePasswordAuthenticationToken
         return this.authenticated;
     }
 
-    public GrantedAuthority[] getAuthorities() {
-        return this.authorities;
-    }
-
     public Object getCredentials() {
         return this.credentials;
     }

core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousAuthenticationToken.java

@@ -34,7 +34,6 @@ public class AnonymousAuthenticationToken extends AbstractAuthenticationToken
     //~ Instance fields ========================================================
 
     private Object principal;
-    private GrantedAuthority[] authorities;
     private boolean authenticated;
     private int keyHash;
 
@@ -51,6 +50,9 @@ public class AnonymousAuthenticationToken extends AbstractAuthenticationToken
      */
     public AnonymousAuthenticationToken(String key, Object principal,
         GrantedAuthority[] authorities) {
+
+        super(authorities);
+
         if ((key == null) || ("".equals(key)) || (principal == null)
             || "".equals(principal) || (authorities == null)
             || (authorities.length == 0)) {
@@ -58,22 +60,11 @@ public class AnonymousAuthenticationToken extends AbstractAuthenticationToken
                 "Cannot pass null or empty values to constructor");
         }
 
-        for (int i = 0; i < authorities.length; i++) {
-            Assert.notNull(authorities[i],
-                "Granted authority element " + i
-                + " is null - GrantedAuthority[] cannot contain any null elements");
-        }
-
         this.keyHash = key.hashCode();
         this.principal = principal;
-        this.authorities = authorities;
 		this.authenticated = true;
     }
 
-    protected AnonymousAuthenticationToken() {
-        throw new IllegalArgumentException("Cannot use default constructor");
-    }
-
     //~ Methods ================================================================
 
     public void setAuthenticated(boolean isAuthenticated) {
@@ -84,10 +75,6 @@ public class AnonymousAuthenticationToken extends AbstractAuthenticationToken
         return this.authenticated;
     }
 
-    public GrantedAuthority[] getAuthorities() {
-        return this.authorities;
-    }
-
     /**
      * Always returns an empty <code>String</code>
      *

core/src/main/java/org/acegisecurity/providers/cas/CasAuthenticationToken.java

@@ -43,7 +43,6 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken
     private Object principal;
     private String proxyGrantingTicketIou;
     private UserDetails userDetails;
-    private GrantedAuthority[] authorities;
     private boolean authenticated;
     private int keyHash;
 
@@ -72,6 +71,7 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken
     public CasAuthenticationToken(String key, Object principal,
         Object credentials, GrantedAuthority[] authorities,
         UserDetails userDetails, List proxyList, String proxyGrantingTicketIou) {
+        super(authorities);
         if ((key == null) || ("".equals(key)) || (principal == null)
             || "".equals(principal) || (credentials == null)
             || "".equals(credentials) || (authorities == null)
@@ -81,26 +81,15 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken
                 "Cannot pass null or empty values to constructor");
         }
 
-        for (int i = 0; i < authorities.length; i++) {
-            Assert.notNull(authorities[i],
-                "Granted authority element " + i
-                + " is null - GrantedAuthority[] cannot contain any null elements");
-        }
-
         this.keyHash = key.hashCode();
         this.principal = principal;
         this.credentials = credentials;
-        this.authorities = authorities;
         this.userDetails = userDetails;
         this.proxyList = proxyList;
         this.proxyGrantingTicketIou = proxyGrantingTicketIou;
         this.authenticated = true;
     }
 
-    protected CasAuthenticationToken() {
-        throw new IllegalArgumentException("Cannot use default constructor");
-    }
-
     //~ Methods ================================================================
 
     public boolean equals(Object obj) {
@@ -132,10 +121,6 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken
         return false;
     }
 
-    public GrantedAuthority[] getAuthorities() {
-        return this.authorities;
-    }
-
     public Object getCredentials() {
         return this.credentials;
     }
@@ -177,12 +162,10 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken
     public String toString() {
         StringBuffer sb = new StringBuffer();
         sb.append(super.toString());
-        sb.append("; Credentials (Service/Proxy Ticket): ");
+        sb.append("; Credentials (Service/Proxy Ticket): ").append(this.credentials);
-        sb.append(this.credentials);
+        sb.append("; Proxy-Granting Ticket IOU: ").append(this.proxyGrantingTicketIou);
-        sb.append("; Proxy-Granting Ticket IOU: ");
+        sb.append("; Proxy List: ").append(this.proxyList);
-        sb.append(this.proxyGrantingTicketIou);
+
-        sb.append("; Proxy List: ");
-        sb.append(this.proxyList.toString());
 
         return (sb.toString());
     }

core/src/main/java/org/acegisecurity/providers/rememberme/RememberMeAuthenticationToken.java

@@ -40,7 +40,6 @@ public class RememberMeAuthenticationToken extends AbstractAuthenticationToken
     //~ Instance fields ========================================================
 
     private Object principal;
-    private GrantedAuthority[] authorities;
     private int keyHash;
 	private boolean authenticated;
 
@@ -57,6 +56,8 @@ public class RememberMeAuthenticationToken extends AbstractAuthenticationToken
      */
     public RememberMeAuthenticationToken(String key, Object principal,
         GrantedAuthority[] authorities) {
+        super(authorities);
+
         if ((key == null) || ("".equals(key)) || (principal == null)
             || "".equals(principal) || (authorities == null)
             || (authorities.length == 0)) {
@@ -72,14 +73,9 @@ public class RememberMeAuthenticationToken extends AbstractAuthenticationToken
 
         this.keyHash = key.hashCode();
         this.principal = principal;
-        this.authorities = authorities;
 		this.authenticated = true;
     }
 
-    protected RememberMeAuthenticationToken() {
-        throw new IllegalArgumentException("Cannot use default constructor");
-    }
-
     //~ Methods ================================================================
 
     public void setAuthenticated(boolean isAuthenticated) {
@@ -90,10 +86,6 @@ public class RememberMeAuthenticationToken extends AbstractAuthenticationToken
         return this.authenticated;
     }
 
-    public GrantedAuthority[] getAuthorities() {
-        return this.authorities;
-    }
-
     /**
      * Always returns an empty <code>String</code>
      *

core/src/main/java/org/acegisecurity/providers/x509/X509AuthenticationToken.java

@@ -31,7 +31,6 @@ public class X509AuthenticationToken extends AbstractAuthenticationToken {
 
     private X509Certificate credentials;
     private Object principal;
-    private GrantedAuthority[] authorities;
     private boolean authenticated = false;
     private Object details = null;
 
@@ -39,13 +38,16 @@ public class X509AuthenticationToken extends AbstractAuthenticationToken {
 
     /** Used for an authentication request */
     public X509AuthenticationToken(X509Certificate credentials) {
+        super(null);
         this.credentials = credentials;
     }
 
-    public X509AuthenticationToken(Object principal, X509Certificate credentials, GrantedAuthority[] authorities) {
+    public X509AuthenticationToken(Object principal,
+                                   X509Certificate credentials,
+                                   GrantedAuthority[] authorities) {
+        super(authorities);
+        this.principal = principal;        
         this.credentials = credentials;
-        this.principal = principal;
-        this.authorities = authorities;
     }
 
     //~ Methods ================================================================
@@ -67,10 +69,6 @@ public class X509AuthenticationToken extends AbstractAuthenticationToken {
         return authenticated;
     }
 
-    public GrantedAuthority[] getAuthorities() {
-        return authorities;
-    }
-
     public Object getCredentials() {
         return credentials;
     }

core/src/main/java/org/acegisecurity/runas/RunAsUserToken.java

@@ -32,7 +32,6 @@ public class RunAsUserToken extends AbstractAuthenticationToken {
     private Class originalAuthentication;
     private Object credentials;
     private Object principal;
-    private GrantedAuthority[] authorities;
     private int keyHash;
 	private boolean authenticated;
 
@@ -40,19 +39,14 @@ public class RunAsUserToken extends AbstractAuthenticationToken {
 
     public RunAsUserToken(String key, Object principal, Object credentials,
         GrantedAuthority[] authorities, Class originalAuthentication) {
-        super();
+        super(authorities);
         this.keyHash = key.hashCode();
-        this.authorities = authorities;
         this.principal = principal;
         this.credentials = credentials;
         this.originalAuthentication = originalAuthentication;
 		this.authenticated = true;
     }
 
-    protected RunAsUserToken() {
-        throw new IllegalArgumentException("Cannot use default constructor");
-    }
-
     //~ Methods ================================================================
 
     public void setAuthenticated(boolean isAuthenticated) {
@@ -63,10 +57,6 @@ public class RunAsUserToken extends AbstractAuthenticationToken {
         return this.authenticated;
     }
 
-    public GrantedAuthority[] getAuthorities() {
-        return this.authorities;
-    }
-
     public Object getCredentials() {
         return this.credentials;
     }
@@ -85,7 +75,7 @@ public class RunAsUserToken extends AbstractAuthenticationToken {
 
     public String toString() {
         StringBuffer sb = new StringBuffer(super.toString());
-        sb.append("; Original Class: " + this.originalAuthentication.getName());
+        sb.append("; Original Class: ").append(this.originalAuthentication.getName());
 
         return sb.toString();
     }

core/src/test/java/org/acegisecurity/MockRunAsAuthenticationToken.java

@@ -30,6 +30,12 @@ public class MockRunAsAuthenticationToken extends AbstractAuthenticationToken {
 
     private boolean authenticated = false;
 
+    //~ Constructors ===========================================================
+
+    public MockRunAsAuthenticationToken() {
+        super(null);
+    }
+
     //~ Methods ================================================================
 
     public void setAuthenticated(boolean isAuthenticated) {
@@ -40,10 +46,6 @@ public class MockRunAsAuthenticationToken extends AbstractAuthenticationToken {
         return authenticated;
     }
 
-    public GrantedAuthority[] getAuthorities() {
-        return null;
-    }
-
     public Object getCredentials() {
         return null;
     }

core/src/test/java/org/acegisecurity/adapters/AuthByAdapterTests.java

@@ -24,6 +24,8 @@ import org.acegisecurity.GrantedAuthorityImpl;
 
 import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 
+import java.util.Arrays;
+
 /**
  * Tests {@link AuthByAdapterProvider}
  *
@@ -67,7 +69,7 @@ public class AuthByAdapterTests extends TestCase {
 
         assertEquals(token.getCredentials(), response.getCredentials());
         assertEquals(token.getPrincipal(), response.getPrincipal());
-        assertEquals(token.getAuthorities(), response.getAuthorities());
+        assertTrue(Arrays.equals(token.getAuthorities(), response.getAuthorities()));
 
         if (!response.getClass().equals(token.getClass())) {
             fail("Should have returned same type of object it was given");

core/src/test/java/org/acegisecurity/providers/AbstractAuthenticationTokenTests.java

@@ -148,22 +148,17 @@ public class AbstractAuthenticationTokenTests extends TestCase {
     private class MockAuthenticationImpl extends AbstractAuthenticationToken {
         private Object credentials;
         private Object principal;
-        private GrantedAuthority[] authorities;
         private boolean authenticated = false;
 
         public MockAuthenticationImpl(Object principal, Object credentials,
             GrantedAuthority[] authorities) {
+            super(authorities);
             this.principal = principal;
             this.credentials = credentials;
-            this.authorities = authorities;
         }
 
         private MockAuthenticationImpl() {
-            super();
+            super(null);
-        }
-
-        public GrantedAuthority[] getAuthorities() {
-            return this.authorities;
         }
 
         public Object getCredentials() {

core/src/test/java/org/acegisecurity/providers/TestingAuthenticationTokenTests.java

@@ -19,6 +19,7 @@ import junit.framework.TestCase;
 
 import org.acegisecurity.GrantedAuthority;
 import org.acegisecurity.GrantedAuthorityImpl;
+import org.acegisecurity.providers.rememberme.RememberMeAuthenticationToken;
 
 
 /**
@@ -67,11 +68,13 @@ public class TestingAuthenticationTokenTests extends TestCase {
         assertEquals("ROLE_TWO", token.getAuthorities()[1].getAuthority());
     }
 
-    public void testNoArgConstructor() {
+    public void testNoArgConstructorDoesntExist() {
+        Class clazz = TestingAuthenticationToken.class;
+
         try {
-            new TestingAuthenticationToken();
+            clazz.getDeclaredConstructor((Class[])null);
-            fail("Should have thrown IllegalArgumentException");
+            fail("Should have thrown NoSuchMethodException");
-        } catch (IllegalArgumentException expected) {
+        } catch (NoSuchMethodException expected) {
             assertTrue(true);
         }
     }

core/src/test/java/org/acegisecurity/providers/anonymous/AnonymousAuthenticationTokenTests.java

@@ -20,6 +20,7 @@ import junit.framework.TestCase;
 import org.acegisecurity.GrantedAuthority;
 import org.acegisecurity.GrantedAuthorityImpl;
 import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
+import org.acegisecurity.providers.rememberme.RememberMeAuthenticationToken;
 
 import java.util.List;
 import java.util.Vector;
@@ -126,11 +127,13 @@ public class AnonymousAuthenticationTokenTests extends TestCase {
         assertTrue(token.isAuthenticated());
     }
 
-    public void testNoArgConstructor() {
+    public void testNoArgConstructorDoesntExist() {
+        Class clazz = AnonymousAuthenticationToken.class;
+
         try {
-            new AnonymousAuthenticationToken();
+            clazz.getDeclaredConstructor((Class[])null);
-            fail("Should have thrown IllegalArgumentException");
+            fail("Should have thrown NoSuchMethodException");
-        } catch (IllegalArgumentException expected) {
+        } catch (NoSuchMethodException expected) {
             assertTrue(true);
         }
     }

core/src/test/java/org/acegisecurity/providers/cas/CasAuthenticationTokenTests.java

@@ -178,11 +178,13 @@ public class CasAuthenticationTokenTests extends TestCase {
             token.getUserDetails().getUsername());
     }
 
-    public void testNoArgConstructor() {
+    public void testNoArgConstructorDoesntExist() {
+        Class clazz = CasAuthenticationToken.class;
+
         try {
-            new CasAuthenticationToken();
+            clazz.getDeclaredConstructor((Class[])null);
-            fail("Should have thrown IllegalArgumentException");
+            fail("Should have thrown NoSuchMethodException");
-        } catch (IllegalArgumentException expected) {
+        } catch (NoSuchMethodException expected) {
             assertTrue(true);
         }
     }

core/src/test/java/org/acegisecurity/providers/rememberme/RememberMeAuthenticationTokenTests.java

@@ -126,11 +126,13 @@ public class RememberMeAuthenticationTokenTests extends TestCase {
         assertTrue(token.isAuthenticated());
     }
 
-    public void testNoArgConstructor() {
+    public void testNoArgConstructorDoesntExist() {
+        Class clazz = RememberMeAuthenticationToken.class;
+
         try {
-            new RememberMeAuthenticationToken();
+            clazz.getDeclaredConstructor((Class[])null);
-            fail("Should have thrown IllegalArgumentException");
+            fail("Should have thrown NoSuchMethodException");
-        } catch (IllegalArgumentException expected) {
+        } catch (NoSuchMethodException expected) {
             assertTrue(true);
         }
     }

core/src/test/java/org/acegisecurity/runas/RunAsUserTokenTests.java

@@ -71,11 +71,14 @@ public class RunAsUserTokenTests extends TestCase {
             token.getOriginalAuthentication());
     }
 
-    public void testNoArgsConstructor() {
+
+    public void testNoArgConstructorDoesntExist() {
+        Class clazz = RunAsUserToken.class;
+
         try {
-            new RunAsUserToken();
+            clazz.getDeclaredConstructor((Class[])null);
-            fail("Should have thrown IllegalArgumentException");
+            fail("Should have thrown NoSuchMethodException");
-        } catch (IllegalArgumentException expected) {
+        } catch (NoSuchMethodException expected) {
             assertTrue(true);
         }
     }

sandbox/src/main/java/org/acegisecurity/providers/smb/NtlmAuthenticationToken.java

@@ -38,7 +38,6 @@ public class NtlmAuthenticationToken extends AbstractAuthenticationToken {
 
     private NtlmPasswordAuthentication ntlmPasswordAuthentication;
     private transient UniAddress domainController;
-    private GrantedAuthority[] authorities;
     private boolean authenticated;
 
     //~ Constructors ===========================================================
@@ -46,6 +45,7 @@ public class NtlmAuthenticationToken extends AbstractAuthenticationToken {
     public NtlmAuthenticationToken(
         NtlmPasswordAuthentication ntlmPasswordAuthentication,
         UniAddress domainController) {
+        super(null);
         this.ntlmPasswordAuthentication = ntlmPasswordAuthentication;
         this.domainController = domainController;
     }
@@ -60,14 +60,6 @@ public class NtlmAuthenticationToken extends AbstractAuthenticationToken {
         return authenticated;
     }
 
-    public void setAuthorities(GrantedAuthority[] authorities) {
-        this.authorities = authorities;
-    }
-
-    public GrantedAuthority[] getAuthorities() {
-        return authorities;
-    }
-
     public Object getCredentials() {
         return ntlmPasswordAuthentication.getPassword();
     }