don't load user info for anonymous authentications, closes #895

2015-10-01 19:12:50 -04:00 · 2015-10-01 19:12:50 -04:00 · e1af979995
parent 74f5a248c7
commit e1af979995
1 changed files with 27 additions and 21 deletions
--- a/openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java
+++ b/openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java
@ -28,6 +28,8 @@ import org.mitre.openid.connect.model.OIDCAuthenticationToken;
 import org.mitre.openid.connect.model.UserInfo;
 import org.mitre.openid.connect.service.UserInfoService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
@ -59,6 +61,8 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter {
 	@Autowired (required = false)
 	private UserInfoService userInfoService;
 	private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
 	@Override
 	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
@ -68,28 +72,30 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter {
 		if (auth instanceof Authentication){
 			request.setAttribute("userAuthorities", gson.toJson(auth.getAuthorities()));
 		}
-
+		
-		if (auth instanceof OIDCAuthenticationToken) {
+		if (!trustResolver.isAnonymous(auth)) { // skip lookup on anonymous logins
-			// if they're logging into this server from a remote OIDC server, pass through their user info
+			if (auth instanceof OIDCAuthenticationToken) {
-			OIDCAuthenticationToken oidc = (OIDCAuthenticationToken) auth;
+				// if they're logging into this server from a remote OIDC server, pass through their user info
-			if (oidc.getUserInfo() != null) {
+				OIDCAuthenticationToken oidc = (OIDCAuthenticationToken) auth;
-				request.setAttribute("userInfo", oidc.getUserInfo());
+				if (oidc.getUserInfo() != null) {
-				request.setAttribute("userInfoJson", oidc.getUserInfo().toJson());
+					request.setAttribute("userInfo", oidc.getUserInfo());
 					request.setAttribute("userInfoJson", oidc.getUserInfo().toJson());
 				} else {
 					request.setAttribute("userInfo", null);
 					request.setAttribute("userInfoJson", "null");
 				}
 			} else {
-				request.setAttribute("userInfo", null);
+				// don't bother checking if we don't have a principal or a userInfoService to work with
-				request.setAttribute("userInfoJson", "null");
+				if (auth != null && auth.getName() != null && userInfoService != null) {
-			}
+	
-		} else {
+					// try to look up a user based on the principal's name
-			// don't bother checking if we don't have a principal or a userInfoService to work with
+					UserInfo user = userInfoService.getByUsername(auth.getName());
-			if (auth != null && auth.getName() != null && userInfoService != null) {
+	
-
+					// if we have one, inject it so views can use it
-				// try to look up a user based on the principal's name
+					if (user != null) {
-				UserInfo user = userInfoService.getByUsername(auth.getName());
+						request.setAttribute("userInfo", user);
-
+						request.setAttribute("userInfoJson", user.toJson());
-				// if we have one, inject it so views can use it
+					}
 				if (user != null) {
 					request.setAttribute("userInfo", user);
 					request.setAttribute("userInfoJson", user.toJson());
 				}
 			}
 		}