diff --git a/core/src/main/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java b/core/src/main/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java index 6bde4a9742..d294773bd8 100644 --- a/core/src/main/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java +++ b/core/src/main/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutor.java @@ -21,6 +21,8 @@ import java.net.HttpURLConnection; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.remoting.httpinvoker.SimpleHttpInvokerRequestExecutor; +import org.springframework.security.authentication.AuthenticationTrustResolver; +import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.security.core.Authentication; import org.springframework.security.core.codec.Base64; import org.springframework.security.core.context.SecurityContextHolder; @@ -30,12 +32,17 @@ import org.springframework.security.core.context.SecurityContextHolder; * Adds BASIC authentication support to SimpleHttpInvokerRequestExecutor. * * @author Ben Alex + * @author Rob Winch */ public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpInvokerRequestExecutor { //~ Static fields/initializers ===================================================================================== private static final Log logger = LogFactory.getLog(AuthenticationSimpleHttpInvokerRequestExecutor.class); + //~ Instance fields ================================================================================================ + + private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); + //~ Methods ======================================================================================================== /** @@ -65,7 +72,7 @@ public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpIn Authentication auth = SecurityContextHolder.getContext().getAuthentication(); - if ((auth != null) && (auth.getName() != null) && (auth.getCredentials() != null)) { + if ((auth != null) && (auth.getName() != null) && (auth.getCredentials() != null) && !trustResolver.isAnonymous(auth)) { String base64 = auth.getName() + ":" + auth.getCredentials().toString(); con.setRequestProperty("Authorization", "Basic " + new String(Base64.encode(base64.getBytes()))); diff --git a/core/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java b/core/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java index d32d1665d5..0990a2bccb 100644 --- a/core/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java +++ b/core/src/test/java/org/springframework/security/remoting/httpinvoker/AuthenticationSimpleHttpInvokerRequestExecutorTests.java @@ -18,8 +18,10 @@ package org.springframework.security.remoting.httpinvoker; import junit.framework.TestCase; +import org.springframework.security.authentication.AnonymousAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; +import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor; @@ -37,6 +39,7 @@ import java.util.Map; * Tests {@link AuthenticationSimpleHttpInvokerRequestExecutor}. * * @author Ben Alex + * @author Rob Winch */ public class AuthenticationSimpleHttpInvokerRequestExecutorTests extends TestCase { @@ -77,6 +80,22 @@ public class AuthenticationSimpleHttpInvokerRequestExecutorTests extends TestCas assertNull(conn.getRequestProperty("Authorization")); } + // SEC-1975 + public void testNullContextHolderWhenAnonymous() throws Exception { + AnonymousAuthenticationToken anonymous = new AnonymousAuthenticationToken("key", "principal", + AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")); + SecurityContextHolder.getContext().setAuthentication(anonymous); + + // Create a connection and ensure our executor sets its + // properties correctly + AuthenticationSimpleHttpInvokerRequestExecutor executor = new AuthenticationSimpleHttpInvokerRequestExecutor(); + HttpURLConnection conn = new MockHttpURLConnection(new URL("http://localhost/")); + executor.prepareConnection(conn, 10); + + // Check connection properties (shouldn't be an Authorization header) + assertNull(conn.getRequestProperty("Authorization")); + } + //~ Inner Classes ================================================================================================== private class MockHttpURLConnection extends HttpURLConnection {