Fix hostname equality check when principal is null

code/moya-web/src/main/java/fi/codecrew/moya/HostnameFilter.java

@@ -167,6 +167,7 @@ public class HostnameFilter implements Filter {
 			insertServerLoggingContext(httpRequest, authtype);
 
 			String hostname = parseHostname(httpRequest);
+
 			if (httpRequest.getUserPrincipal() == null) {
 				// Check if we are logging in with rest
 				if (RestApplicationEntrypoint.REST_PATH.equals(httpRequest.getServletPath())) {
@@ -281,18 +282,19 @@ public class HostnameFilter implements Filter {
 			scheme = url.substring(0, 5).toLowerCase();
 		}
 
-		String userDomain = UserLoginUtils.getDomainFromJaas(httpRequest.getUserPrincipal());
-		if (!hostname.equals(userDomain)) {
-
-			logbean.sendMessage(MoyaEventType.USER_PERMISSION_VIOLATION,
-				"Hostname mismatch privilege escalation! User '", httpRequest.getUserPrincipal(), "' tried to change hostname from '",
-				userDomain, "' to '", hostname, ",");
-			throw new RuntimeException("Hostname mismatch!");
-
+		Principal principal = httpRequest.getUserPrincipal();
+		if (principal != null) {
+			String userDomain = UserLoginUtils.getDomainFromJaas(principal);
+			// If there is no logged-in user, we can and should not check userDomain against hostname
+			if (principal != null && !hostname.equals(userDomain)) {
 
+				logbean.sendMessage(MoyaEventType.USER_PERMISSION_VIOLATION,
+					"Hostname mismatch privilege escalation! User '", httpRequest.getUserPrincipal(), "' tried to change hostname from '",
+					userDomain, "' to '", hostname, ",");
+				throw new RuntimeException("Hostname mismatch!");
+			}
 		}
 
-		BortalLocalContextHolder.setHostname(hostname);
 		BortalLocalContextHolder.setInDevelopmentMode(developmentMode);
 		return hostname;