Spring Security
  1. Spring Security
  2. SEC-1975

AuthenticationSimpleHttpInvokerRequestExecutor and AnonymousAuthenticationToken

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.7, 3.1.0
    • Fix Version/s: 3.0.8, 3.1.2
    • Component/s: Remoting
    • Labels:
      None

      Description

      Hi,

      I am working with AuthenticationSimpleHttpInvokerRequestExecutor to add http basic authentication to HTTPInvoker requests. When using the AnonymousAuthenticationFilter to create an AnonymousAuthenticationToken the request executor will extract "anonymousUser" and some randomly generated credentials. In the backend, I have no chance to generate meaningful UserDetails for "anonymousUser".

      So wouldn't it be better to check in prepareConnection() if the Authentication is a UsernamePasswordAuthenticationToken, since these are anyway the only usable tokens for http basic authentication?

        Activity

        Hide
        Karl Toffel added a comment -

        I dug into BasicAuthenticationFilter, which is invoked on the backend. It creates a

        UsernamePasswordAuthenticationToken authRequest =
           new UsernamePasswordAuthenticationToken(username, tokens[1]);

        It makes sense to send only UsernamePasswordAuthenticationTokens in AuthenticationSimpleHttpInvokerRequestExecutor

        Show
        Karl Toffel added a comment - I dug into BasicAuthenticationFilter, which is invoked on the backend. It creates a UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, tokens[1]); It makes sense to send only UsernamePasswordAuthenticationTokens in AuthenticationSimpleHttpInvokerRequestExecutor
        Hide
        Rob Winch added a comment -

        I think we can update AuthenticationSimpleHttpInvokerRequestExecutor to use an AuthenticationTrustResolver to determine if it is anonymous and only send add the credentials in the event that the user is not anonymous.

        Show
        Rob Winch added a comment - I think we can update AuthenticationSimpleHttpInvokerRequestExecutor to use an AuthenticationTrustResolver to determine if it is anonymous and only send add the credentials in the event that the user is not anonymous.

          People

          • Assignee:
            Rob Winch
            Reporter:
            Karl Toffel
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 1h
              1h
              Remaining:
              Remaining Estimate - 1h
              1h
              Logged:
              Time Spent - Not Specified
              Not Specified