Hi,
if my observations are correct, it seems that Spring security anonymous
authentication
still seems to be enabled for the Syncope REST API.
See securityContext.xml:
<security:http security-context-repository-ref="securityContextRepository"
realm="Apache Syncope authentication">
<security:http-basic/>
<security:anonymous username="${anonymousUser}"/>
<security:intercept-url pattern="/**"/>
</security:http>
As far as I understand, since SYNCOPE-132 [1] this mechanism is not used
anymore by Syncope,
but instead a special 'anonymous' user was introduced.
Shouldn't it better be
<security:anonymous enabled="false"/> ?
Cheers,
Guido
[1] https://issues.apache.org/jira/browse/SYNCOPE-132
