Fix bug where login with SAML does not work when multiauth is enabled…

… and SAML and anonymous are sign in options Signed-off-by: Craig Perkins <[email protected]>
cwperks · Jan 10, 2024 · 6986995 · 6986995
1 parent eec63d3
commit 6986995
Showing 1 changed file with 20 additions and 13 deletions.
diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
@@ -387,19 +387,6 @@ public boolean authenticate(final SecurityRequestChannel request) {
                 log.debug("User still not authenticated after checking {} auth domains", restAuthDomains.size());
             }
 
-            if (authCredentials == null && anonymousAuthEnabled) {
-                final String tenant = Utils.coalesce(request.header("securitytenant"), request.header("security_tenant"));
-                User anonymousUser = new User(User.ANONYMOUS.getName(), new HashSet<String>(User.ANONYMOUS.getRoles()), null);
-                anonymousUser.setRequestedTenant(tenant);
-
-                threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, anonymousUser);
-                auditLog.logSucceededLogin(anonymousUser.getName(), false, null, request);
-                if (isDebugEnabled) {
-                    log.debug("Anonymous User is authenticated");
-                }
-                return true;
-            }
-
             Optional<SecurityResponse> challengeResponse = Optional.empty();
 
             if (firstChallengingHttpAuthenticator != null) {
@@ -416,6 +403,26 @@ public boolean authenticate(final SecurityRequestChannel request) {
                 }
             }
 
+            boolean firstChallengingAuthenticatorIsSaml = firstChallengingHttpAuthenticator != null
+                && "saml".equals(firstChallengingHttpAuthenticator.getType());
+            System.out.println("firstChallengingAuthenticatorIsSaml = " + firstChallengingAuthenticatorIsSaml);
+            System.out.println("request.path: " + request.path());
+            if (authCredentials == null
+                && anonymousAuthEnabled
+                && !(firstChallengingAuthenticatorIsSaml
+                    && (request.path().endsWith("tenantinfo") || request.path().endsWith("authtoken")))) {
+                final String tenant = Utils.coalesce(request.header("securitytenant"), request.header("security_tenant"));
+                User anonymousUser = new User(User.ANONYMOUS.getName(), new HashSet<String>(User.ANONYMOUS.getRoles()), null);
+                anonymousUser.setRequestedTenant(tenant);
+
+                threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, anonymousUser);
+                auditLog.logSucceededLogin(anonymousUser.getName(), false, null, request);
+                if (isDebugEnabled) {
+                    log.debug("Anonymous User is authenticated");
+                }
+                return true;
+            }
+
             log.warn(
                 "Authentication finally failed for {} from {}",
                 authCredentials == null ? null : authCredentials.getUsername(),