Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-3139: Anonymous authentication token not passed to Controller #3338

Closed
spring-projects-issues opened this issue Oct 30, 2015 · 3 comments
Closed
Assignees
Labels
in: docs status: backported type: bug type: jira

Comments

@spring-projects-issues
Copy link

@spring-projects-issues spring-projects-issues commented Oct 30, 2015

James Garrison (Migrated from SEC-3139) said:

Consider the following RequestMapping in a SpringMVC controller:

@RequestMapping("/index")
public String index(
    Authentication auth,    // <-- null if anonymous user
    ModelMap model, 
    HttpServletRequest req, 
    HttpServletResponse resp)
{
    SecurityContext ctx   = SecurityContextHolder.getContext();
    Authentication  auth2 = ctx.getAuthentication();  // <-- always non-null (correct)    
    ...
}

I got this (use of an Authentication controller parameter) from here.

If the user is "really" authenticated (i.e. logged in) then this works as advertised. The problem is that when anonymous authentication is allowed and no user is logged in the value of auth is null when it should be an AnonymousAuthenticationToken.

The alternate method of going through ctx.getAuthentication() returns the correct AnonymousAuthenticationToken regardless of whether the user is anonymous or a "real" logged in user.

What's interesting is that Authentication is not included in the list of Supported Method Argument Types. If it just didn't work at all I'd say Baeldung was just mistaken, but the fact that it works for "real" authentication but not for anonymous makes me wonder where the problem is.

I believe this may be a bug that has been around for a while (see a similar unanswered question).

If it should work as described by Baeldung then it needs to be fixed, and the documentation updated to include Authentication as an allowable parameter type.

Here's my Spring Security configuration:

      <s:http use-expressions="false">
        <s:anonymous />
        <s:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <s:form-login login-page="/login" default-target-url='/index'/>
        <s:logout logout-success-url="/login"/>
      </s:http>
@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Oct 30, 2015

Rob Winch said:

The reason this happens is because Spring MVC resolves anything of type Principal to the HttpServletRequest.getUserPrincipal() result. Spring Security makes this null if the user is not authenticated to conform with the Servlet specification.

A workaround is to use something like this:

@RequestMapping("/index")
public String index(
    @Value("#{T(org.springframework.security.core.context.SecurityContextHolder).context.authentication}") Authentication auth, 
    ModelMap model, 
    HttpServletRequest req, 
    HttpServletResponse resp)
{
    SecurityContext ctx   = SecurityContextHolder.getContext();
    Authentication  auth2 = ctx.getAuthentication();  // <-- always non-null (correct)    
    ...
}

This is not ideal, but if I recall correctly, Spring Security cannot register a HandlerMethodArgumentResolver with a higher priority that those provided by Spring MVC.

cc [~rstoya05-aop]

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Oct 31, 2015

James Garrison said:

I understand.

This probably deserves a paragraph in the documentation.

@spring-projects-issues spring-projects-issues added in: docs Open type: bug type: jira labels Feb 5, 2016
@rwinch rwinch removed the Open label May 3, 2019
@jzheaux
Copy link
Contributor

@jzheaux jzheaux commented Jun 8, 2021

Note that as of Security 5.2, you can use @CurrentSecurityContext to reduce some of the boilerplate. I'll add some documentation to this affect.

@jzheaux jzheaux self-assigned this Jun 8, 2021
@jzheaux jzheaux closed this as completed in c294050 Jun 8, 2021
jzheaux added a commit that referenced this issue Jun 8, 2021
@spring-projects-issues spring-projects-issues added the status: backported label Jun 8, 2021
jzheaux added a commit that referenced this issue Jun 8, 2021
jzheaux added a commit that referenced this issue Jun 8, 2021
jzheaux added a commit that referenced this issue Jun 8, 2021
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: docs status: backported type: bug type: jira
Projects
None yet
Development

No branches or pull requests

3 participants