From c157d601a2c5875424fbe92d31b639fa0f776d88 Mon Sep 17 00:00:00 2001 From: Chris R Date: Wed, 20 Jan 2016 16:29:20 -0800 Subject: [PATCH] Avoid merging with anonymous users. --- .../IISPlatformHandlerMiddleware.cs | 3 ++- test/TestSites/StartupNtlmAuthentication.cs | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/Microsoft.AspNet.IISPlatformHandler/IISPlatformHandlerMiddleware.cs b/src/Microsoft.AspNet.IISPlatformHandler/IISPlatformHandlerMiddleware.cs index f6140393cc..6c729fd762 100644 --- a/src/Microsoft.AspNet.IISPlatformHandler/IISPlatformHandlerMiddleware.cs +++ b/src/Microsoft.AspNet.IISPlatformHandler/IISPlatformHandlerMiddleware.cs @@ -105,7 +105,8 @@ namespace Microsoft.AspNet.IISPlatformHandler if (_options.AutomaticAuthentication) { - var existingPrincipal = httpContext.User; + // Don't get it from httpContext.User, that always returns a non-null anonymous user by default. + var existingPrincipal = httpContext.Features.Get()?.User; if (existingPrincipal != null) { httpContext.User = SecurityHelper.MergeUserPrincipal(existingPrincipal, winPrincipal); diff --git a/test/TestSites/StartupNtlmAuthentication.cs b/test/TestSites/StartupNtlmAuthentication.cs index f007cd9c00..f950786272 100644 --- a/test/TestSites/StartupNtlmAuthentication.cs +++ b/test/TestSites/StartupNtlmAuthentication.cs @@ -2,10 +2,12 @@ // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. using System; +using System.Security.Principal; using Microsoft.AspNet.Builder; using Microsoft.AspNet.Http; using Microsoft.AspNet.Http.Authentication; using Microsoft.Extensions.Logging; +using Xunit; namespace TestSites { @@ -47,6 +49,7 @@ namespace TestSites { if (context.User.Identity.IsAuthenticated) { + Assert.IsType(context.User); return context.Response.WriteAsync(context.User.Identity.AuthenticationType); } else