don't load user info for anonymous authentications, closes #895

2015-10-01 19:12:50 -04:00 · 2015-10-01 19:12:50 -04:00 · e1af979995
parent 74f5a248c7
commit e1af979995
1 changed files with 27 additions and 21 deletions
--- a/openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java
+++ b/openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java
@ -28,6 +28,8 @@ import org.mitre.openid.connect.model.OIDCAuthenticationToken;
 import org.mitre.openid.connect.model.UserInfo;
 import org.mitre.openid.connect.service.UserInfoService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
@ -59,6 +61,8 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter {

 	@Autowired (required = false)
 	private UserInfoService userInfoService;
+	
+	private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();

 	@Override
 	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
@ -68,28 +72,30 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter {
 		if (auth instanceof Authentication){
 			request.setAttribute("userAuthorities", gson.toJson(auth.getAuthorities()));
 		}
-
-		if (auth instanceof OIDCAuthenticationToken) {
-			// if they're logging into this server from a remote OIDC server, pass through their user info
-			OIDCAuthenticationToken oidc = (OIDCAuthenticationToken) auth;
-			if (oidc.getUserInfo() != null) {
-				request.setAttribute("userInfo", oidc.getUserInfo());
-				request.setAttribute("userInfoJson", oidc.getUserInfo().toJson());
+		
+		if (!trustResolver.isAnonymous(auth)) { // skip lookup on anonymous logins
+			if (auth instanceof OIDCAuthenticationToken) {
+				// if they're logging into this server from a remote OIDC server, pass through their user info
+				OIDCAuthenticationToken oidc = (OIDCAuthenticationToken) auth;
+				if (oidc.getUserInfo() != null) {
+					request.setAttribute("userInfo", oidc.getUserInfo());
+					request.setAttribute("userInfoJson", oidc.getUserInfo().toJson());
+				} else {
+					request.setAttribute("userInfo", null);
+					request.setAttribute("userInfoJson", "null");
+				}
 			} else {
-				request.setAttribute("userInfo", null);
-				request.setAttribute("userInfoJson", "null");
-			}
-		} else {
-			// don't bother checking if we don't have a principal or a userInfoService to work with
-			if (auth != null && auth.getName() != null && userInfoService != null) {
-
-				// try to look up a user based on the principal's name
-				UserInfo user = userInfoService.getByUsername(auth.getName());
-
-				// if we have one, inject it so views can use it
-				if (user != null) {
-					request.setAttribute("userInfo", user);
-					request.setAttribute("userInfoJson", user.toJson());
+				// don't bother checking if we don't have a principal or a userInfoService to work with
+				if (auth != null && auth.getName() != null && userInfoService != null) {
+	
+					// try to look up a user based on the principal's name
+					UserInfo user = userInfoService.getByUsername(auth.getName());
+	
+					// if we have one, inject it so views can use it
+					if (user != null) {
+						request.setAttribute("userInfo", user);
+						request.setAttribute("userInfoJson", user.toJson());
+					}
 				}
 			}
 		}