Check session salt in shib auth

2025-10-10 11:33:11 +00:00 · 2020-01-10 10:25:58 +01:00
parent a32d11eb85
commit 462f20a338
2 changed files with 4 additions and 1 deletions
--- a/dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java
+++ b/dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java
@@ -227,6 +227,10 @@ public class ShibAuthentication implements AuthenticationMethod {
                return AuthenticationMethod.NO_SUCH_USER;
            }

+            if (eperson != null && StringUtils.isNotBlank(eperson.getSessionSalt())) {
+                return AuthenticationMethod.NO_SUCH_USER;
+            }
+
            // Step 3: Update User's Metadata
            updateEPerson(context, request, eperson);

--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/StatelessLoginFilter.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/StatelessLoginFilter.java
@@ -15,7 +15,6 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

 import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;