[Question] Usage of User.get2(Authentication a) in OicSecurityRealm

[eva-mueller-coremedia]

OicSecurityRealm uses User.get2 at several places:

• OicSecurityRealm#loginAndSetUserData
• OicSecurityRealm#doLogout
• OicSecurityRealm#handleTokenExpiration
• OicSecurityRealm#refreshExpiredToken

Question

User.get2(Authentication a) will create a new user if the user does not exist. I wonder if the user creation should only happen in OicSecurityRealm#loginAndSetUserData?

Background

The implementation of User.get2(Authentication a)

public static @CheckForNull User get2(@CheckForNull Authentication a) {
    if (a == null || a instanceof AnonymousAuthenticationToken)
        return null;

    // Since we already know this is a name, we can just call getOrCreateById with the name directly.
    return getById(a.getName(), true);
}

will create a new user if a.getName() is null:

/**
 * Retrieve a user by its ID, and create a new one if requested.
 *
 * @return An existing or created user. May be {@code null} if a user does not exist and
 * {@code create} is false.
 */
private static @Nullable User getOrCreateById(@NonNull String id, @NonNull String fullName, boolean create) {
    User u = AllUsers.get(id);
    if (u == null && (create || UserIdMapper.getInstance().isMapped(id))) {
        u = new User(id, fullName);
        AllUsers.put(id, u);
        if (!id.equals(fullName) && !UserIdMapper.getInstance().isMapped(id)) {
            try {
                u.save();
            } catch (IOException x) {
                LOGGER.log(Level.WARNING, "Failed to save user configuration for " + id, x);
            }
        }
    }
    return u;
}