diff --git a/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java b/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java
index 6542dcebdb..5ce187484b 100644
--- a/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java
+++ b/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java
@@ -135,18 +135,21 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean {
         FilterChain chain) throws IOException, ServletException {
         SecureContext sc = SecureContextUtils.getSecureContext();
 
-        if (sc.getAuthentication() == null) {
-            sc.setAuthentication(createAuthentication(request));
+        if (applyAnonymousForThisRequest(request)) {
+            if (sc.getAuthentication() == null) {
+                sc.setAuthentication(createAuthentication(request));
 
-            if (logger.isDebugEnabled()) {
-                logger.debug("Replaced ContextHolder with anonymous token: '"
-                    + sc.getAuthentication() + "'");
-            }
-        } else {
-            if (logger.isDebugEnabled()) {
-                logger.debug(
-                    "ContextHolder not replaced with anonymous token, as ContextHolder already contained: '"
-                    + sc.getAuthentication() + "'");
+                if (logger.isDebugEnabled()) {
+                    logger.debug(
+                        "Replaced ContextHolder with anonymous token: '"
+                        + sc.getAuthentication() + "'");
+                }
+            } else {
+                if (logger.isDebugEnabled()) {
+                    logger.debug(
+                        "ContextHolder not replaced with anonymous token, as ContextHolder already contained: '"
+                        + sc.getAuthentication() + "'");
+                }
             }
         }
 
@@ -162,6 +165,24 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean {
      */
     public void init(FilterConfig arg0) throws ServletException {}
 
+    /**
+     * Enables subclasses to determine whether or not an anonymous
+     * authentication token should be setup for this request. This is useful
+     * if anonymous authentication should be allowed only for specific IP
+     * subnet ranges etc.
+     *
+     * @param request to assist the method determine request details
+     *
+     * @return <code>true</code> if the anonymous token should be setup for
+     *         this request (provided that the request doesn't already have
+     *         some other <code>Authentication</code> inside it), or
+     *         <code>false</code> if no anonymous token should be setup for
+     *         this request
+     */
+    protected boolean applyAnonymousForThisRequest(ServletRequest request) {
+        return true;
+    }
+
     protected Authentication createAuthentication(ServletRequest request) {
         return new AnonymousAuthenticationToken(key,
             userAttribute.getPassword(), userAttribute.getAuthorities());
diff --git a/doc/xdocs/changes.xml b/doc/xdocs/changes.xml
index 434f6bdbf0..bb2a347825 100644
--- a/doc/xdocs/changes.xml
+++ b/doc/xdocs/changes.xml
@@ -26,6 +26,7 @@
   </properties>
   <body>
     <release version="0.9.0" date="In CVS">
+      <action dev="benalex" type="update">AnonymousProcessingFilter offers protected method to control when it should execute</action>
     </release>
     <release version="0.8.2" date="2005-04-20">
       <action dev="benalex" type="fix">Correct location of AuthenticationSimpleHttpInvokerRequestExecutor in clientContext.xml</action>