SEC-1102: CLONE -SecurityContextHolderAwareRequestWrapper isUserInRole always returns null when user is anonymously authenticated #1352

Closed
spring-issuemaster opened this Issue Feb 8, 2009 · 2 comments

1 participant

@spring-issuemaster

errorken (Migrated from SEC-1102) said:

In our application a user can be fully authenticated or anymous authenticated.
In the later case the security token is the AnonymousAuthenticationToken.

When a user is anonymously authenticated and I the isUserInRole(‘ROLE_ANONYMOUS’) functionality on the In HttpServletRequest always get ‘false’.
I verified the SecurityContextHolder.getContext().getAuthentication() → I can clearly see that the token is AnonymousAuthenticationToken and that the user has the ROLE_ANONYMOUS credentials, so that is not the problem.

After debug I found the HttpServletRequest wrapped by the SavedRequestAwareWrapper which in turn inherits the ‘isUserInRole’ behaviour from SecurityContextHolderAwareRequestWrapper
However, the isUserInRole on the latter class first calls getAuthentication, this method looks like this:

[code]
//SecurityContextHolderAwareRequestWrapper – line 74
private Authentication getAuthentication() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();

if (!authenticationTrustResolver.isAnonymous(auth)) { return auth; } return null; }

[/code]

So what happens is, is that the Authentication is not returned, but null instead
Therefore the isUserInRole returns false.

I think this is a bug; why should isUserInRole not work when the user has the ROLE_ANONYMOUS ?

@spring-issuemaster

Luke Taylor said:

Closing. See comments in the original issue.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016
@spring-issuemaster

This issue duplicates #1351

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment