Ability to configure authenticationDetailsSource in AnonymousConfigurer

kse-music · kse-music · commit 7149dfc9e8ea · 2025-10-21T14:31:04.000+08:00
Closes gh-17831 Signed-off-by: DingHao <dh.hiekn@gmail.com>
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurer.java
@@ -39,6 +39,7 @@
  * other than applying this {@link SecurityConfigurer}.
  *
  * @author Rob Winch
+ * @author DingHao
  * @since 3.2
  */
 public final class AnonymousConfigurer<H extends HttpSecurityBuilder<H>>
@@ -158,7 +159,7 @@ public void configure(H http) {
 		}
 		this.authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
 		this.authenticationFilter.afterPropertiesSet();
-		http.addFilter(this.authenticationFilter);
+		http.addFilter(postProcess(this.authenticationFilter));
 	}
 
 	private String getKey() {
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java
@@ -16,13 +16,16 @@
 
 package org.springframework.security.config.annotation.web.configurers;
 
+import jakarta.servlet.http.HttpServletRequest;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.authentication.AuthenticationDetailsSource;
+import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -34,11 +37,14 @@
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.springframework.security.config.Customizer.withDefaults;
 import static org.springframework.security.config.annotation.SecurityContextChangedListenerArgumentMatchers.setAuthentication;
@@ -101,6 +107,45 @@ public void shouldReturnMyCustomAnonymousConfig() throws Exception {
 		this.mockMvc.perform(get("/")).andExpect(status().isOk()).andExpect(content().string("myAnonymousUser"));
 	}
 
+	@Test
+	public void anonymousAuthenticationWhenUsingAuthenticationDetailsSourceRefThenMatchesNamespace() throws Exception {
+		this.spring.register(AuthenticationDetailsSourceAnonymousConfig.class).autowire();
+		AuthenticationDetailsSource<HttpServletRequest, ?> source = this.spring.getContext()
+			.getBean(AuthenticationDetailsSource.class);
+		this.mockMvc.perform(get("/"));
+		verify(source).buildDetails(any(HttpServletRequest.class));
+	}
+
+	@Configuration
+	@EnableWebSecurity
+	@EnableWebMvc
+	static class AuthenticationDetailsSourceAnonymousConfig {
+
+		AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = mock(
+				AuthenticationDetailsSource.class);
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			return http.anonymous((anonymous) -> anonymous
+				.withObjectPostProcessor(new ObjectPostProcessor<AnonymousAuthenticationFilter>() {
+
+					@Override
+					public <O extends AnonymousAuthenticationFilter> O postProcess(O object) {
+						object.setAuthenticationDetailsSource(
+								AuthenticationDetailsSourceAnonymousConfig.this.authenticationDetailsSource);
+						return object;
+					}
+
+				})).build();
+		}
+
+		@Bean
+		AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource() {
+			return this.authenticationDetailsSource;
+		}
+
+	}
+
 	@Configuration
 	@EnableWebSecurity
 	@EnableWebMvc

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,7 @@`
`39`	`39`	`* other than applying this {@link SecurityConfigurer}.`
`40`	`40`	`*`
`41`	`41`	`* @author Rob Winch`
	`42`	`+ * @author DingHao`
`42`	`43`	`* @since 3.2`
`43`	`44`	`*/`
`44`	`45`	`public final class AnonymousConfigurer<H extends HttpSecurityBuilder<H>>`
`@@ -158,7 +159,7 @@ public void configure(H http) {`
`158`	`159`	`}`
`159`	`160`	`this.authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());`
`160`	`161`	`this.authenticationFilter.afterPropertiesSet();`
`161`		`- http.addFilter(this.authenticationFilter);`
	`162`	`+ http.addFilter(postProcess(this.authenticationFilter));`
`162`	`163`	`}`
`163`	`164`
`164`	`165`	`private String getKey() {`