diff --git a/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java b/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java index 6542dcebdb..5ce187484b 100644 --- a/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java +++ b/core/src/main/java/org/acegisecurity/providers/anonymous/AnonymousProcessingFilter.java @@ -135,18 +135,21 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean { FilterChain chain) throws IOException, ServletException { SecureContext sc = SecureContextUtils.getSecureContext(); - if (sc.getAuthentication() == null) { - sc.setAuthentication(createAuthentication(request)); + if (applyAnonymousForThisRequest(request)) { + if (sc.getAuthentication() == null) { + sc.setAuthentication(createAuthentication(request)); - if (logger.isDebugEnabled()) { - logger.debug("Replaced ContextHolder with anonymous token: '" - + sc.getAuthentication() + "'"); - } - } else { - if (logger.isDebugEnabled()) { - logger.debug( - "ContextHolder not replaced with anonymous token, as ContextHolder already contained: '" - + sc.getAuthentication() + "'"); + if (logger.isDebugEnabled()) { + logger.debug( + "Replaced ContextHolder with anonymous token: '" + + sc.getAuthentication() + "'"); + } + } else { + if (logger.isDebugEnabled()) { + logger.debug( + "ContextHolder not replaced with anonymous token, as ContextHolder already contained: '" + + sc.getAuthentication() + "'"); + } } } @@ -162,6 +165,24 @@ public class AnonymousProcessingFilter implements Filter, InitializingBean { */ public void init(FilterConfig arg0) throws ServletException {} + /** + * Enables subclasses to determine whether or not an anonymous + * authentication token should be setup for this request. This is useful + * if anonymous authentication should be allowed only for specific IP + * subnet ranges etc. + * + * @param request to assist the method determine request details + * + * @return true if the anonymous token should be setup for + * this request (provided that the request doesn't already have + * some other Authentication inside it), or + * false if no anonymous token should be setup for + * this request + */ + protected boolean applyAnonymousForThisRequest(ServletRequest request) { + return true; + } + protected Authentication createAuthentication(ServletRequest request) { return new AnonymousAuthenticationToken(key, userAttribute.getPassword(), userAttribute.getAuthorities()); diff --git a/doc/xdocs/changes.xml b/doc/xdocs/changes.xml index 434f6bdbf0..bb2a347825 100644 --- a/doc/xdocs/changes.xml +++ b/doc/xdocs/changes.xml @@ -26,6 +26,7 @@ + AnonymousProcessingFilter offers protected method to control when it should execute Correct location of AuthenticationSimpleHttpInvokerRequestExecutor in clientContext.xml