SEC-1283: AuthenticationConfigBuilder.createAnonymousFilter uses httpElt instead of anonymousElt. Corrected element name.

config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java

@@ -125,7 +125,7 @@ final class AuthenticationConfigBuilder {
         Element rememberMeElt = DomUtils.getChildElementByTagName(httpElt, Elements.REMEMBER_ME);
 
         if (rememberMeElt != null) {
-        	String key = rememberMeElt.getAttribute(ATT_KEY);
+            String key = rememberMeElt.getAttribute(ATT_KEY);
 
             if (!StringUtils.hasText(key)) {
                 key = DEF_KEY;
@@ -370,9 +370,9 @@ final class AuthenticationConfigBuilder {
         Object source = pc.extractSource(httpElt);
 
         if (anonymousElt != null) {
-            grantedAuthority = httpElt.getAttribute("granted-authority");
-            username = httpElt.getAttribute("username");
-            key = httpElt.getAttribute("key");
+            grantedAuthority = anonymousElt.getAttribute("granted-authority");
+            username = anonymousElt.getAttribute("username");
+            key = anonymousElt.getAttribute("key");
             source = pc.extractSource(anonymousElt);
         }
 

config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java

@@ -253,6 +253,18 @@ public class HttpSecurityBeanDefinitionParserTests {
         assertThat(getFilters("/anything").get(5), not(instanceOf(AnonymousAuthenticationFilter.class)));
     }
 
+    @Test
+    public void anonymousCustomAttributesAreSetCorrectly() throws Exception {
+        setContext(
+                "<http>" +
+                "   <form-login />" +
+                "   <anonymous enabled='true' username='joe' granted-authority='anonymity' key='customKey' />" +
+                "</http>" + AUTH_PROVIDER_XML);
+        AnonymousAuthenticationFilter filter = (AnonymousAuthenticationFilter) getFilters("/anything").get(5);
+        assertEquals("customKey", filter.getKey());
+        assertEquals("joe", filter.getUserAttribute().getPassword());
+        assertEquals("anonymity", filter.getUserAttribute().getAuthorities().get(0).getAuthority());
+    }
 
     @Test(expected=BeanCreationException.class)
     public void invalidLoginPageIsDetected() throws Exception {
@@ -859,6 +871,7 @@ public class HttpSecurityBeanDefinitionParserTests {
         setContext(
                 "    <http>" +
                 "        <intercept-url pattern='/**' access='ROLE_A'/>" +
+                "        <anonymous enabled='false' />" +
                 "        <form-login login-page='/login.jsp' default-target-url='/messageList.html'/>" +
                 "    </http>" + AUTH_PROVIDER_XML);
         closeAppContext();