Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1975: AuthenticationSimpleHttpInvokerRequestExecutor and AnonymousAuthenticationToken #2199

spring-issuemaster opened this Issue Jun 21, 2012 · 2 comments


None yet
2 participants

Karl Toffel (Migrated from SEC-1975) said:


I am working with AuthenticationSimpleHttpInvokerRequestExecutor to add http basic authentication to HTTPInvoker requests. When using the AnonymousAuthenticationFilter to create an AnonymousAuthenticationToken the request executor will extract "anonymousUser" and some randomly generated credentials. In the backend, I have no chance to generate meaningful UserDetails for "anonymousUser".

So wouldn't it be better to check in prepareConnection() if the Authentication is a UsernamePasswordAuthenticationToken, since these are anyway the only usable tokens for http basic authentication?

Karl Toffel said:

I dug into BasicAuthenticationFilter, which is invoked on the backend. It creates a

UsernamePasswordAuthenticationToken authRequest =
   new UsernamePasswordAuthenticationToken(username, tokens[1]);```

It makes sense to send only UsernamePasswordAuthenticationTokens in AuthenticationSimpleHttpInvokerRequestExecutor

Rob Winch said:

I think we can update AuthenticationSimpleHttpInvokerRequestExecutor to use an AuthenticationTrustResolver to determine if it is anonymous and only send add the credentials in the event that the user is not anonymous.

@spring-issuemaster spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment