Describe the bug Not sure this is an intended change or not in
https://github.com/spring-projects/spring-security/commit/750cb30ce44d279c2f54c845d375e6a58bded569#diff-3cfe9d086802d3b1eec6c4e134357df2ac1514521559309c01f5f8e362e4bb12R96
but with 6.2.1, an authentication instance like new TestingAuthenticationToken(new UserDetails("foo"), null) would be returned from request.getUserPrincipal() but now getAuthentication() no longer returns the testing authentication token as getAuthentication() requires this.trustResolver.isAuthenticated(auth) to be true. So even if an Authentication object with a principal is available, request.getUserPrincipal() returns null as authenticated is false for the TestingAuthenticationToken
Comment From: marcusdacoregio
Hi, @Artur-. Thanks for the report.
This is intentional because the HttpServletRequest#getUserPrincipal javadoc says (emphasis by me):
Returns a java.security.Principal object containing the name of the current authenticated user. If the user has not been authenticated, the method returns null.
Does that make sense?
Comment From: Artur-
Thanks, makes sense. I was maybe confused as I found it unexpected also that a TestingToken without roles was not authenticated but when adding a dummy role it was. Anyhow, will fix our tests now based on this info.