Avoid merging with anonymous users.

2016-01-20 16:29:20 -08:00 · 2016-01-20 16:29:20 -08:00 · c157d601a2
parent 488187ff79
commit c157d601a2
2 changed files with 5 additions and 1 deletions
--- a/src/Microsoft.AspNet.IISPlatformHandler/IISPlatformHandlerMiddleware.cs
+++ b/src/Microsoft.AspNet.IISPlatformHandler/IISPlatformHandlerMiddleware.cs
@ -105,7 +105,8 @@ namespace Microsoft.AspNet.IISPlatformHandler

                if (_options.AutomaticAuthentication)
                {
-                    var existingPrincipal = httpContext.User;
+                    // Don't get it from httpContext.User, that always returns a non-null anonymous user by default.
+                    var existingPrincipal = httpContext.Features.Get<IHttpAuthenticationFeature>()?.User;
                    if (existingPrincipal != null)
                    {
                        httpContext.User = SecurityHelper.MergeUserPrincipal(existingPrincipal, winPrincipal);
--- a/test/TestSites/StartupNtlmAuthentication.cs
+++ b/test/TestSites/StartupNtlmAuthentication.cs
@ -2,10 +2,12 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

 using System;
+using System.Security.Principal;
 using Microsoft.AspNet.Builder;
 using Microsoft.AspNet.Http;
 using Microsoft.AspNet.Http.Authentication;
 using Microsoft.Extensions.Logging;
+using Xunit;

 namespace TestSites
 {
@ -47,6 +49,7 @@ namespace TestSites
                {
                    if (context.User.Identity.IsAuthenticated)
                    {
+                        Assert.IsType<WindowsPrincipal>(context.User);
                        return context.Response.WriteAsync(context.User.Identity.AuthenticationType);
                    }
                    else