Spring Security SEC-2977: AnonymousAuthenticationFilter.createAuthentication() creates passes incorrect value to the constructor of AnonymousAuthenticationToken

Jacob Lu (Migrated from SEC-2977) said:

The following code passes userAttribute.getPassword() to the principal field of AnonymousAuthenticationToken constructor, which doesn't seem logical.

AnonymousAuthenticationToken auth = new AnonymousAuthenticationToken(key, userAttribute.getPassword(), userAttribute.getAuthorities());

Comment From: eleftherias

This was fixed as part of gh-2009 in 7344212.