@Override protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) { /* * First consult the Authorization header */ final Jws<Claims> userinfo = idTokenFactory.getUserInfo(request); if (userinfo != null) { final String username = userinfo.getBody().getSubject(); logger.debug( "Processing authentication for username='{}' based on OIDC Id token in the {} header", username, HttpHeaders.AUTHORIZATION); final IPerson person = personService.getPerson(username); return new PortalPersonUserDetails(person); } /* * Next check the session */ final HttpSession session = request.getSession(false); if (session != null) { final IPerson person = personManager.getPerson(request); logger.debug("getPreAuthenticatedPrincipal -- person=[{}]", person); return new PortalPersonUserDetails(person); } // Neither mechanism produced a principal return null; }