ServletRequestMethodArgumentResolver happend early in the ArgumentResolver chain. One of his ability is to resolve Principal, that's great and it works well.
But when a parameter of type Principal is annotated we don't want to get the Principal from the HttpServletRequest.getUserPrincipal().
This feature is even in conflict with the spring-security documentation and the @AuthenticationPrincipal annotation which is supposed to resolve the Principal from Authentication.getPrincipal().
Having the ServletRequestMethodArgumentResolver resolving annotated Principal makes the @AuthenticationPrincipal and AuthenticationPrincipalArgumentResolver useless and missleading.
Fix spring-projects/spring-security#4151
Comment From: pivotal-issuemaster
@anthonyraymond Please sign the Contributor License Agreement!
Click here to manually synchronize the status of this Pull Request.
See the FAQ for frequently asked questions.
Comment From: pivotal-issuemaster
@anthonyraymond Thank you for signing the Contributor License Agreement!
Comment From: rstoyanchev
Thanks for the extra detail. This is scheduled for 5.3 now.
Why is the spring-framework trying to inject a Principal ?
It is one of many request properties that ServletRequestMethodArgumentResolver aims to expose.
Comment From: anthonyraymond
Thanks for the quick reply.
Since this will most likely get merged, i added a test to ensure it wont break in the future.