From bd2d4b013add637d3f52eb25dd744b473d0875a4 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Fri, 23 Feb 2007 19:21:44 +0000
Subject: [PATCH] Extracted a method to evaluate the conditions for whether
 basic authentication is required.

---
 .../ui/basicauth/BasicProcessingFilter.java   | 34 +++++++++++++------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java b/core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java
index 8de6c62061..5133718cf3 100644
--- a/core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java
+++ b/core/src/main/java/org/acegisecurity/ui/basicauth/BasicProcessingFilter.java
@@ -95,7 +95,8 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
     public void destroy() {}
 
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
-        throws IOException, ServletException {
+            throws IOException, ServletException {
+
         if (!(request instanceof HttpServletRequest)) {
             throw new ServletException("Can only process HttpServletRequest");
         }
@@ -126,15 +127,9 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
                 password = token.substring(delim + 1);
             }
 
-            // Only reauthenticate if username doesn't match SecurityContextHolder and user isn't authenticated (see SEC-53)
-            Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
-
-            // Limit username comparison to providers which user usernames (ie UsernamePasswordAuthenticationToken) (see SEC-348)
-            if ((existingAuth == null) 
-            		|| (existingAuth instanceof UsernamePasswordAuthenticationToken && !existingAuth.getName().equals(username)) 
-            		|| !existingAuth.isAuthenticated()) {
-                UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
-                        password);
+            if (authenticationIsRequired(username)) {
+                UsernamePasswordAuthenticationToken authRequest =
+                        new UsernamePasswordAuthenticationToken(username, password);
                 authRequest.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));
 
                 Authentication authResult;
@@ -178,6 +173,25 @@ public class BasicProcessingFilter implements Filter, InitializingBean {
         chain.doFilter(request, response);
     }
 
+    private boolean authenticationIsRequired(String username) {
+        // Only reauthenticate if username doesn't match SecurityContextHolder and user isn't authenticated
+        // (see SEC-53)
+        Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
+
+        if(existingAuth == null || !existingAuth.isAuthenticated()) {
+            return true;
+        }
+
+        // Limit username comparison to providers which use usernames (ie UsernamePasswordAuthenticationToken)
+        // (see SEC-348)
+
+        if (existingAuth instanceof UsernamePasswordAuthenticationToken && !existingAuth.getName().equals(username)) {
+            return true;
+        }
+
+        return false;
+    }
+
     public AuthenticationEntryPoint getAuthenticationEntryPoint() {
         return authenticationEntryPoint;
     }