Fix unauthenitcated() and AnonymousAuthenticationToken

Previously if unauthenticated() experienced an AnonymousAuthenticationToken
it would not match.

This commit ensures that if the user is anonymous (not just null)
unauthenticated() works.

Fixes gh-3409

test/src/main/java/org/springframework/security/test/web/servlet/response/SecurityMockMvcResultMatchers.java

@@ -18,6 +18,8 @@ package org.springframework.security.test.web.servlet.response;
 import java.util.ArrayList;
 import java.util.Collection;
 
+import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -229,13 +231,18 @@ public final class SecurityMockMvcResultMatchers {
 	 * @author Rob Winch
 	 * @since 4.0
 	 */
-	private static final class UnAuthenticatedMatcher extends
-			AuthenticationMatcher<UnAuthenticatedMatcher> {
+	private static final class UnAuthenticatedMatcher
+			extends AuthenticationMatcher<UnAuthenticatedMatcher> {
+		private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
 
+		@Override
 		public void match(MvcResult result) throws Exception {
 			SecurityContext context = load(result);
 
-			assertEquals("", null, context.getAuthentication());
+			Authentication authentication = context.getAuthentication();
+			assertTrue("Expected anonymous Authentication got " + context,
+					authentication == null
+							|| this.trustResolver.isAnonymous(authentication));
 		}
 
 		private UnAuthenticatedMatcher() {

test/src/test/java/org/springframework/security/test/web/servlet/response/Gh3409Tests.java

@@ -0,0 +1,110 @@
+/*
+ * Copyright 2012-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.test.web.servlet.response;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.context.SecurityContextImpl;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.WebApplicationContext;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
+
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.securityContext;
+import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
+import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+
+/**
+ * @author Rob Winch
+ * @since 4.1
+ */
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration
+@WebAppConfiguration
+public class Gh3409Tests {
+
+	@Autowired
+	private WebApplicationContext context;
+
+	private MockMvc mockMvc;
+
+	@Before
+	public void setup() {
+		// @formatter:off
+		this.mockMvc = MockMvcBuilders
+			.webAppContextSetup(this.context)
+			.apply(springSecurity())
+			.build();
+		// @formatter:on
+	}
+
+	// gh-3409
+	@Test
+	public void unauthenticatedAnonymousUser() throws Exception {
+		// @formatter:off
+		this.mockMvc
+			.perform(get("/public/")
+			.with(securityContext(new SecurityContextImpl())));
+
+		this.mockMvc
+			.perform(get("/public/"))
+			.andExpect(unauthenticated());
+		// @formatter:on
+	}
+
+	@Test
+	public void unauthenticatedNullAuthenitcation() throws Exception {
+		// @formatter:off
+		this.mockMvc
+			.perform(get("/")
+			.with(securityContext(new SecurityContextImpl())));
+
+		this.mockMvc
+			.perform(get("/"))
+			.andExpect(unauthenticated());
+		// @formatter:on
+	}
+
+	@EnableWebSecurity
+	@EnableWebMvc
+	static class Config extends WebSecurityConfigurerAdapter {
+
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.authorizeRequests()
+					.antMatchers("/public/**").permitAll()
+					.anyRequest().authenticated()
+					.and()
+				.formLogin().and()
+				.httpBasic();
+			// @formatter:on
+
+		}
+	}
+}