Add Anonymous Support to AuthenticatedReactiveAuthorizationManager

mibo · rwinch · commit 60e3bf409359 · 2018-12-12T15:48:17.000-06:00
Fixes: gh-6235
diff --git a/core/src/main/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManager.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.authorization;
 
+import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.core.Authentication;
 import reactor.core.publisher.Mono;
 
@@ -30,13 +32,25 @@
  */
 public class AuthenticatedReactiveAuthorizationManager<T> implements ReactiveAuthorizationManager<T> {
 
+	private AuthenticationTrustResolver authTrustResolver = new AuthenticationTrustResolverImpl();
+
 	@Override
 	public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
 		return authentication
+			.filter(this::isNotAnonymous)
 			.map(a -> new AuthorizationDecision(a.isAuthenticated()))
 			.defaultIfEmpty(new AuthorizationDecision(false));
 	}
 
+	/**
+	 * Verify (via {@link AuthenticationTrustResolver}) that the given authentication is not anonymous.
+	 * @param authentication to be checked
+	 * @return <code>true</code> if not anonymous, otherwise <code>false</code>.
+	 */
+	private boolean isNotAnonymous(Authentication authentication) {
+		return !authTrustResolver.isAnonymous(authentication);
+	}
+
 	/**
 	 * Gets an instance of {@link AuthenticatedReactiveAuthorizationManager}
 	 * @param <T>
diff --git a/core/src/test/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManagerTests.java b/core/src/test/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManagerTests.java
@@ -20,11 +20,13 @@
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnitRunner;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import reactor.core.publisher.Mono;
 import reactor.test.StepVerifier;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 /**
@@ -62,6 +64,14 @@ public void checkWhenEmptyThenReturnFalse() {
 		assertThat(granted).isFalse();
 	}
 
+	@Test
+	public void checkWhenAnonymousAuthenticatedThenReturnFalse() {
+		AnonymousAuthenticationToken anonymousAuthenticationToken = mock(AnonymousAuthenticationToken.class);
+
+		boolean granted = manager.check(Mono.just(anonymousAuthenticationToken), null).block().isGranted();
+
+		assertThat(granted).isFalse();
+	}
 
 	@Test
 	public void checkWhenErrorThenError() {
