Oct 7th, 2008, 07:41 PM
"Spoofing" an Authentication object...
I was going through the documentation and I was wondering what would prevent a user from creating their own Authentication object, populating it with some GrantedAuthorities, and then set whether it has been authenticated to true? Could they not load this into the SecurityContext? Or is it that only objects loaded as Spring beans within an applicationContext have access to the SecurityContext, so the "spoofed" Authentication object cannot be loaded?
Oct 7th, 2008, 08:12 PM
And how exactly would a remote user accessing your application through a web browser do this?
Theoretically what you are describing is a security hole but realistically, it means that the user would have to have somehow injected malicious code into your application. This pretty much means that for a web application, he'd have to have access to your application server, at which point, you have other issues.
Remember, security is all about "layers" ;-)