SEC-1975: AuthenticationSimpleHttpInvokerRequestExecutor and AnonymousAuthenticationToken #2199

Closed
spring-issuemaster opened this Issue Jun 21, 2012 · 2 comments

2 participants

@spring-issuemaster

Karl Toffel (Migrated from SEC-1975) said:

Hi,

I am working with AuthenticationSimpleHttpInvokerRequestExecutor to add http basic authentication to HTTPInvoker requests. When using the AnonymousAuthenticationFilter to create an AnonymousAuthenticationToken the request executor will extract "anonymousUser" and some randomly generated credentials. In the backend, I have no chance to generate meaningful UserDetails for "anonymousUser".

So wouldn't it be better to check in prepareConnection() if the Authentication is a UsernamePasswordAuthenticationToken, since these are anyway the only usable tokens for http basic authentication?

@spring-issuemaster

Karl Toffel said:

I dug into BasicAuthenticationFilter, which is invoked on the backend. It creates a

UsernamePasswordAuthenticationToken authRequest =
   new UsernamePasswordAuthenticationToken(username, tokens[1]);```


It makes sense to send only UsernamePasswordAuthenticationTokens in AuthenticationSimpleHttpInvokerRequestExecutor
@spring-issuemaster

Rob Winch said:

I think we can update AuthenticationSimpleHttpInvokerRequestExecutor to use an AuthenticationTrustResolver to determine if it is anonymous and only send add the credentials in the event that the user is not anonymous.

@spring-issuemaster spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment