Spring Security
  1. Spring Security
  2. SEC-1102

CLONE -SecurityContextHolderAwareRequestWrapper isUserInRole always returns null when user is anonymously authenticated

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Duplicate
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: Core
    • Labels:
      None

      Description

      In our application a user can be fully authenticated or anymous authenticated.
      In the later case the security token is the AnonymousAuthenticationToken.

      When a user is anonymously authenticated and I the isUserInRole('ROLE_ANONYMOUS') functionality on the In HttpServletRequest always get 'false'.
      I verified the SecurityContextHolder.getContext().getAuthentication() -> I can clearly see that the token is AnonymousAuthenticationToken and that the user has the ROLE_ANONYMOUS credentials, so that is not the problem.

      After debug I found the HttpServletRequest wrapped by the SavedRequestAwareWrapper which in turn inherits the 'isUserInRole' behaviour from SecurityContextHolderAwareRequestWrapper
      However, the isUserInRole on the latter class first calls getAuthentication, this method looks like this:

      [code]
      //SecurityContextHolderAwareRequestWrapper - line 74
      private Authentication getAuthentication() {
      Authentication auth = SecurityContextHolder.getContext().getAuthentication();

      if (!authenticationTrustResolver.isAnonymous(auth))

      { return auth; }

      return null;
      }
      [/code]

      So what happens is, is that the Authentication is not returned, but null instead
      Therefore the isUserInRole returns false.

      I think this is a bug; why should isUserInRole not work when the user has the ROLE_ANONYMOUS ?

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          Closing. See comments in the original issue.

          Show
          Luke Taylor added a comment - Closing. See comments in the original issue.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              errorken
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: