Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-1102

CLONE -SecurityContextHolderAwareRequestWrapper isUserInRole always returns null when user is anonymously authenticated


    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: Core
    • Labels:


      In our application a user can be fully authenticated or anymous authenticated.
      In the later case the security token is the AnonymousAuthenticationToken.

      When a user is anonymously authenticated and I the isUserInRole('ROLE_ANONYMOUS') functionality on the In HttpServletRequest always get 'false'.
      I verified the SecurityContextHolder.getContext().getAuthentication() -> I can clearly see that the token is AnonymousAuthenticationToken and that the user has the ROLE_ANONYMOUS credentials, so that is not the problem.

      After debug I found the HttpServletRequest wrapped by the SavedRequestAwareWrapper which in turn inherits the 'isUserInRole' behaviour from SecurityContextHolderAwareRequestWrapper
      However, the isUserInRole on the latter class first calls getAuthentication, this method looks like this:

      //SecurityContextHolderAwareRequestWrapper - line 74
      private Authentication getAuthentication() {
      Authentication auth = SecurityContextHolder.getContext().getAuthentication();

      if (!authenticationTrustResolver.isAnonymous(auth))

      { return auth; }

      return null;

      So what happens is, is that the Authentication is not returned, but null instead
      Therefore the isUserInRole returns false.

      I think this is a bug; why should isUserInRole not work when the user has the ROLE_ANONYMOUS ?

        Issue Links


          luke Luke Taylor added a comment -

          Closing. See comments in the original issue.

          luke Luke Taylor added a comment - Closing. See comments in the original issue.


            • Assignee:
              luke Luke Taylor
              errorken errorken
            • Votes:
              0 Vote for this issue
              0 Start watching this issue


              • Created: