diff --git a/core/src/main/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManager.java index 64fced35644..f5cbdddd08d 100644 --- a/core/src/main/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManager.java @@ -16,6 +16,8 @@ package org.springframework.security.authorization; +import org.springframework.security.authentication.AuthenticationTrustResolver; +import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.security.core.Authentication; import reactor.core.publisher.Mono; @@ -30,13 +32,25 @@ */ public class AuthenticatedReactiveAuthorizationManager implements ReactiveAuthorizationManager { + private AuthenticationTrustResolver authTrustResolver = new AuthenticationTrustResolverImpl(); + @Override public Mono check(Mono authentication, T object) { return authentication + .filter(this::isNotAnonymous) .map(a -> new AuthorizationDecision(a.isAuthenticated())) .defaultIfEmpty(new AuthorizationDecision(false)); } + /** + * Verify (via {@link AuthenticationTrustResolver}) that the given authentication is not anonymous. + * @param authentication to be checked + * @return true if not anonymous, otherwise false. + */ + private boolean isNotAnonymous(Authentication authentication) { + return !authTrustResolver.isAnonymous(authentication); + } + /** * Gets an instance of {@link AuthenticatedReactiveAuthorizationManager} * @param diff --git a/core/src/test/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManagerTests.java b/core/src/test/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManagerTests.java index 2d05e46ddd6..587beeee52f 100644 --- a/core/src/test/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManagerTests.java +++ b/core/src/test/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManagerTests.java @@ -20,11 +20,13 @@ import org.junit.runner.RunWith; import org.mockito.Mock; import org.mockito.junit.MockitoJUnitRunner; +import org.springframework.security.authentication.AnonymousAuthenticationToken; import org.springframework.security.core.Authentication; import reactor.core.publisher.Mono; import reactor.test.StepVerifier; import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; /** @@ -62,6 +64,14 @@ public void checkWhenEmptyThenReturnFalse() { assertThat(granted).isFalse(); } + @Test + public void checkWhenAnonymousAuthenticatedThenReturnFalse() { + AnonymousAuthenticationToken anonymousAuthenticationToken = mock(AnonymousAuthenticationToken.class); + + boolean granted = manager.check(Mono.just(anonymousAuthenticationToken), null).block().isGranted(); + + assertThat(granted).isFalse(); + } @Test public void checkWhenErrorThenError() {