SpringBoot AnonymousAuthenticationFilter bug

org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource

code bug

Authentication rewrite by AnonymousAuthentication filter

 @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        Supplier<SecurityContext> deferredContext = this.securityContextHolderStrategy.getDeferredContext();
        this.securityContextHolderStrategy
            .setDeferredContext(defaultWithAnonymous((HttpServletRequest) req, deferredContext));
        chain.doFilter(req, res);
    }

fixed

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        Supplier<SecurityContext> deferredContext = SecurityContextHolder.getDeferredContext();
        this.securityContextHolderStrategy
                .setDeferredContext(defaultWithAnonymous((HttpServletRequest) req, deferredContext));
        chain.doFilter(req, res);
    }

Comment From: luohuanyu

version 3.3.2

Comment From: luohuanyu

strategy not same

Comment From: snicoll

@lyyprean there's no need to post 3 comments. If you need to add more information, edit your original post.

This was changed 2 years ago, and the code is in Spring Security. I am not sure what you mean by "strategy not the same". Rather than pasting our own code, please explain the problem you're experiencing. Usually sharing a small sample that shows that upgrading to a more recent version breaks something is the best way to get support.

This will have to be reported against Spring Security: https://github.com/spring-projects/spring-security