From 041dd3bb7af7b6485c0602f61f3ad1bc23176465 Mon Sep 17 00:00:00 2001
From: Michael Hirsch <michael.hirsch@bosch-si.com>
Date: Tue, 2 Aug 2016 14:05:24 +0200
Subject: [PATCH] don't allow anonymous login on rest-api

Signed-off-by: Michael Hirsch <michael.hirsch@bosch-si.com>
---
 .../security/SecurityManagedConfiguration.java             | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java
index e05bdb7f1..e6eb1d159 100644
--- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java
+++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java
@@ -73,6 +73,7 @@ import org.springframework.security.config.annotation.web.servlet.configuration.
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
@@ -328,6 +329,7 @@ public class SecurityManagedConfiguration {
                     .hasAnyAuthority(SpPermission.SYSTEM_ADMIN);
 
             httpSec.httpBasic().and().exceptionHandling().authenticationEntryPoint(basicAuthEntryPoint);
+            httpSec.anonymous().disable();
         }
     }
 
@@ -573,7 +575,10 @@ class AuthenticationSuccessTenantMetadataCreationFilter implements Filter {
             throws IOException, ServletException {
 
         // lazy initialize tenant meta data after successful authentication
-        systemSecurityContext.runAsSystem(() -> systemManagement.getTenantMetadata());
+        final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if (authentication != null && authentication.isAuthenticated()) {
+            systemSecurityContext.runAsSystem(() -> systemManagement.getTenantMetadata());
+        }
         chain.doFilter(request, response);
 
     }