[Fix] Handle anonymous OIDC authentication token in SecurityUtils.

kbss-cvut · Sep 11, 2023 · 1452258 · 1452258
1 parent 386ab51
commit 1452258
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/src/main/java/cz/cvut/kbss/termit/service/security/SecurityUtils.java b/src/main/java/cz/cvut/kbss/termit/service/security/SecurityUtils.java
@@ -22,6 +22,7 @@
 import cz.cvut.kbss.termit.service.IdentifierResolver;
 import cz.cvut.kbss.termit.util.Configuration;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.DisabledException;
 import org.springframework.security.authentication.LockedException;
 import org.springframework.security.core.context.SecurityContext;
@@ -95,7 +96,7 @@ private UserAccount resolveAccountFromOAuthPrincipal(SecurityContext context) {
      */
     public static boolean authenticated() {
         final SecurityContext context = SecurityContextHolder.getContext();
-        return context.getAuthentication() != null && context.getAuthentication().getDetails() != null;
+        return context.getAuthentication() != null && !(context.getAuthentication() instanceof AnonymousAuthenticationToken);
     }
 
     /**

diff --git a/src/test/java/cz/cvut/kbss/termit/service/security/SecurityUtilsTest.java b/src/test/java/cz/cvut/kbss/termit/service/security/SecurityUtilsTest.java
@@ -41,6 +41,7 @@
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
 
 import java.util.Collections;
 import java.util.List;
@@ -131,6 +132,8 @@ void isAuthenticatedReturnsTrueForAuthenticatedUser() {
     void isAuthenticatedReturnsFalseForAnonymousRequest() {
         final AnonymousAuthenticationToken token = new AnonymousAuthenticationToken("anonymousUser", "anonymousUser",
                 Collections.singleton(new SimpleGrantedAuthority("ROLE_ANONYMOUS")));
+        token.setDetails(new WebAuthenticationDetails("0.0.0.0", null));
+        token.setAuthenticated(true);
         SecurityContextHolder.setContext(new SecurityContextImpl(token));
         assertFalse(sut.isAuthenticated());
     }