Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1102: CLONE -SecurityContextHolderAwareRequestWrapper isUserInRole always returns null when user is anonymously authenticated #1352

spring-issuemaster opened this Issue Feb 8, 2009 · 2 comments


None yet
1 participant
from SEC-1102) said:

In our application a user can be fully authenticated or anymous authenticated.
In the later case the security token is the AnonymousAuthenticationToken.

When a user is anonymously authenticated and I the isUserInRole(‘ROLE_ANONYMOUS’) functionality on the In HttpServletRequest always get ‘false’.
I verified the SecurityContextHolder.getContext().getAuthentication() → I can clearly see that the token is AnonymousAuthenticationToken and that the user has the ROLE_ANONYMOUS credentials, so that is not the problem.

After debug I found the HttpServletRequest wrapped by the SavedRequestAwareWrapper which in turn inherits the ‘isUserInRole’ behaviour from SecurityContextHolderAwareRequestWrapper
However, the isUserInRole on the latter class first calls getAuthentication, this method looks like this:

//SecurityContextHolderAwareRequestWrapper – line 74
private Authentication getAuthentication() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();

if (!authenticationTrustResolver.isAnonymous(auth)) {
return auth;

return null;



So what happens is, is that the Authentication is not returned, but null instead
Therefore the isUserInRole returns false.

I think this is a bug; why should isUserInRole not work when the user has the ROLE_ANONYMOUS ?

Luke Taylor said:

Closing. See comments in the original issue.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016

This issue duplicates #1351

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment