Karl Toffel (Migrated from SEC-1975) said:
I am working with AuthenticationSimpleHttpInvokerRequestExecutor to add http basic authentication to HTTPInvoker requests. When using the AnonymousAuthenticationFilter to create an AnonymousAuthenticationToken the request executor will extract "anonymousUser" and some randomly generated credentials. In the backend, I have no chance to generate meaningful UserDetails for "anonymousUser".
So wouldn't it be better to check in prepareConnection() if the Authentication is a UsernamePasswordAuthenticationToken, since these are anyway the only usable tokens for http basic authentication?
Karl Toffel said:
I dug into BasicAuthenticationFilter, which is invoked on the backend. It creates a
UsernamePasswordAuthenticationToken authRequest =
new UsernamePasswordAuthenticationToken(username, tokens);```
It makes sense to send only UsernamePasswordAuthenticationTokens in AuthenticationSimpleHttpInvokerRequestExecutor
Rob Winch said:
I think we can update AuthenticationSimpleHttpInvokerRequestExecutor to use an AuthenticationTrustResolver to determine if it is anonymous and only send add the credentials in the event that the user is not anonymous.