search

spring-projects / spring-boot

Spring Boot
https://spring.io/projects/spring-boot
Apache License 2.0
74.5k stars 40.53k forks source link

AnonymousAuthenticationFilter bug #42007

Closed luohuanyu closed 3 weeks ago

luohuanyu commented 3 weeks ago

org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource

code bug

Authentication rewrite by AnonymousAuthentication filter

 @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        Supplier<SecurityContext> deferredContext = this.securityContextHolderStrategy.getDeferredContext();
        this.securityContextHolderStrategy
            .setDeferredContext(defaultWithAnonymous((HttpServletRequest) req, deferredContext));
        chain.doFilter(req, res);
    }

fixed

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        Supplier<SecurityContext> deferredContext = SecurityContextHolder.getDeferredContext();
        this.securityContextHolderStrategy
                .setDeferredContext(defaultWithAnonymous((HttpServletRequest) req, deferredContext));
        chain.doFilter(req, res);
    }
luohuanyu commented 3 weeks ago

version 3.3.2

luohuanyu commented 3 weeks ago

strategy not same

snicoll commented 3 weeks ago

@lyyprean there's no need to post 3 comments. If you need to add more information, edit your original post.

This was changed 2 years ago, and the code is in Spring Security. I am not sure what you mean by "strategy not the same". Rather than pasting our own code, please explain the problem you're experiencing. Usually sharing a small sample that shows that upgrading to a more recent version breaks something is the best way to get support.

This will have to be reported against Spring Security: https://github.com/spring-projects/spring-security