SEC-3139: Anonymous authentication token not passed to Controller #3338
Description
James Garrison (Migrated from SEC-3139) said:
Consider the following RequestMapping in a SpringMVC controller:
@RequestMapping("/index")
public String index(
Authentication auth, // <-- null if anonymous user
ModelMap model,
HttpServletRequest req,
HttpServletResponse resp)
{
SecurityContext ctx = SecurityContextHolder.getContext();
Authentication auth2 = ctx.getAuthentication(); // <-- always non-null (correct)
...
}I got this (use of an Authentication controller parameter) from here.
If the user is "really" authenticated (i.e. logged in) then this works as advertised. The problem is that when anonymous authentication is allowed and no user is logged in the value of auth is null when it should be an AnonymousAuthenticationToken.
The alternate method of going through ctx.getAuthentication() returns the correct AnonymousAuthenticationToken regardless of whether the user is anonymous or a "real" logged in user.
What's interesting is that Authentication is not included in the list of Supported Method Argument Types. If it just didn't work at all I'd say Baeldung was just mistaken, but the fact that it works for "real" authentication but not for anonymous makes me wonder where the problem is.
I believe this may be a bug that has been around for a while (see a similar unanswered question).
If it should work as described by Baeldung then it needs to be fixed, and the documentation updated to include Authentication as an allowable parameter type.
Here's my Spring Security configuration:
<s:http use-expressions="false">
<s:anonymous />
<s:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<s:form-login login-page="/login" default-target-url='/index'/>
<s:logout logout-success-url="/login"/>
</s:http>