0

I have a a custom authentication provider implemented in my spring MVC project. In my own over-riding authenticate() method I implement my own authentication where I construct my own UserPasswordAuthenticationToken() and return the object.

Now the userid in the above said object "UserPasswordAuthentictionToken" is anonymized, password null and the permissions are set to those that are granted to this user.

Question:
Does this cause the SecurityContextHolder or the SecurityContext in general to lose the original incoming credentials inside the Authenticate object that is passed to the overridden authenticate() method?

If it does not, what should I do to drop those original credentials and force Spring security context to hold my new anonymous authentication identifier [preferably along with other meta data ofcourse].

4

1 回答 1

0

实际上,Java 远程调试功能 (JDWP) 不存在代表生产中的安全漏洞的危险,因为它在默认情况下处于关闭状态。

发生这种情况的唯一方法是有人在生产中明确打开它,但生产团队可能永远不会允许它,而且他们是唯一在该机器上具有管理能力的人。

要在生产中打开调试,必须有人将这些参数添加到服务器启动脚本中,或者通过控制台设置它们:

-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=<PORT>

这不可能意外发生。您可以通过尝试使用您的 IDE 创建到生产机器的调试远程连接来确认 JDWP 在生产中被禁用,它应该会失败。在尝试之前,最好禁用所有断点,以防万一。

如果由于某种原因在生产中启用了 JDWP,生产团队可以将服务器的防火墙配置为只允许来自某个可接受的 IP 列表的 JDWP 端口连接,从而防止开发人员远程调试生产和访问机密信息.

于 2014-03-14T22:41:39.053 回答