Nuxeo Drive keeps connected after token revocation if anonymous authentication is activated

To reproduce:

• Connect Drive to a Nuxeo instance with anonymous auth activated, see http://doc.nuxeo.com/x/qwQz
• Revoke token => Drive should switch to offline mode, grey icon, synchronization interrupted, credentials required. Yet it keeps on checking for changes, icon is green, credentials are not required.
• Apply any local change, for instance creating a file in one of the sync roots => getting this stack trace server-side:

  2015-01-12 15:45:06,590 ERROR [http-bio-0.0.0.0-8080-exec-1] [org.nuxeo.ecm.core.api.CoreSession] Permission 'Read' is not granted to 'Guest' on document /default-domain/workspaces/Test Sync (d57757d8-8469-4512-8420-81c21b501687 - Workspace)
  2015-01-12 15:45:06,595 ERROR [http-bio-0.0.0.0-8080-exec-1] [org.nuxeo.ecm.automation.server.jaxrs.batch.BatchManagerComponent] Error while executing automation batch 
  org.nuxeo.ecm.automation.TraceException: 
  
  ****** chain ******
  Name: NuxeoDrive.CreateFile
  Exception: OperationException
  Caught error: Failed to invoke operation NuxeoDrive.CreateFile
  Caused by: org.nuxeo.ecm.core.api.DocumentSecurityException: Privilege 'Read' is not granted to 'Guest'
  ****** Hierarchy calls ******
  	org.nuxeo.drive.operations.NuxeoDriveCreateFile
  
  	at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:228)
  	at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:113)
  	at org.nuxeo.ecm.automation.server.jaxrs.batch.BatchManagerComponent.execute(BatchManagerComponent.java:182)
  	at org.nuxeo.ecm.automation.server.jaxrs.batch.BatchManagerComponent.execute(BatchManagerComponent.java:160)
  	at org.nuxeo.ecm.automation.server.jaxrs.batch.BatchResource.exec(BatchResource.java:206)
  	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
  	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  	at java.lang.reflect.Method.invoke(Method.java:606)
  	at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
  	at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ObjectOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:258)
  	at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
  	at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
  	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
  	at com.sun.jersey.server.impl.uri.rules.SubLocatorRule.accept(SubLocatorRule.java:137)
  	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
  	at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
  	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
  	at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
  	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
  	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
  	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
  	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
  	at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
  	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
  	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
  	at org.nuxeo.ecm.webengine.app.jersey.WebEngineServlet.containerService(WebEngineServlet.java:178)
  	at org.nuxeo.ecm.webengine.app.jersey.WebEngineServlet.service(WebEngineServlet.java:153)
  	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
  	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
  	at org.nuxeo.ecm.webengine.jaxrs.session.SessionCleanupFilter.run(SessionCleanupFilter.java:45)
  	at org.nuxeo.ecm.webengine.jaxrs.HttpFilter.doFilter(HttpFilter.java:43)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
  	at org.nuxeo.ecm.webengine.app.WebEngineFilter.doFilter(WebEngineFilter.java:92)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
  	at org.nuxeo.ecm.webengine.jaxrs.context.RequestContextFilter.run(RequestContextFilter.java:42)
  	at org.nuxeo.ecm.webengine.jaxrs.HttpFilter.doFilter(HttpFilter.java:43)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
  	at org.nuxeo.wss.servlet.BaseWSSFilter.doFilter(BaseWSSFilter.java:137)
  	at org.nuxeo.wss.servlet.FailSafeWSSFilter.doFilter(FailSafeWSSFilter.java:55)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
  	at org.nuxeo.ecm.core.management.jtajca.internal.Log4jWebFilter.doFilter(Log4jWebFilter.java:67)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
  	at org.nuxeo.ecm.platform.ui.web.rest.FancyURLFilter.doFilter(FancyURLFilter.java:129)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
  	at org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoThreadTrackerFilter.doFilter(NuxeoThreadTrackerFilter.java:28)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
  	at org.nuxeo.ecm.webdav.service.WIRequestFilter.doFilter(WIRequestFilter.java:58)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
  	at org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoRequestControllerFilter.doFilter(NuxeoRequestControllerFilter.java:139)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
  	at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doFilterInternal(NuxeoAuthenticationFilter.java:585)
  	at org.nuxeo.ecm.platform.ui.web.auth.service.NuxeoAuthFilterChain.doFilter(NuxeoAuthFilterChain.java:36)
  	at org.nuxeo.ecm.platform.ui.web.auth.oauth2.NuxeoOAuth2Filter.doFilter(NuxeoOAuth2Filter.java:68)
  	at org.nuxeo.ecm.platform.ui.web.auth.service.NuxeoAuthFilterChain.doFilter(NuxeoAuthFilterChain.java:34)
  	at org.nuxeo.ecm.platform.ui.web.auth.oauth.NuxeoOAuthFilter.doFilter(NuxeoOAuthFilter.java:119)
  	at org.nuxeo.ecm.platform.ui.web.auth.service.NuxeoAuthFilterChain.doFilter(NuxeoAuthFilterChain.java:34)
  	at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doFilter(NuxeoAuthenticationFilter.java:398)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
  	at org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoCorsFilter.doFilter(NuxeoCorsFilter.java:52)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
  	at org.nuxeo.ecm.platform.web.common.exceptionhandling.NuxeoExceptionFilter.doFilter(NuxeoExceptionFilter.java:78)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
  	at org.nuxeo.ecm.platform.web.common.encoding.NuxeoEncodingFilter.doFilter(NuxeoEncodingFilter.java:73)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
  	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
  	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
  	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
  	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
  	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
  	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
  	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
  	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
  	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
  	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
  	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
  	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
  	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
  	at java.lang.Thread.run(Thread.java:745)
  Caused by: org.nuxeo.ecm.automation.OperationException: Failed to invoke operation NuxeoDrive.CreateFile
  	at org.nuxeo.ecm.automation.core.impl.InvokableMethod.invoke(InvokableMethod.java:151)
  	at org.nuxeo.ecm.automation.core.impl.CompiledChainImpl.doInvoke(CompiledChainImpl.java:127)
  	at org.nuxeo.ecm.automation.core.impl.CompiledChainImpl.invoke(CompiledChainImpl.java:113)
  	at org.nuxeo.ecm.automation.core.impl.OperationServiceImpl.run(OperationServiceImpl.java:204)
  	... 95 more
  Caused by: org.nuxeo.ecm.core.api.DocumentSecurityException: Privilege 'Read' is not granted to 'Guest'
  	at org.nuxeo.ecm.core.api.AbstractSession.checkPermission(AbstractSession.java:203)
  	at org.nuxeo.ecm.core.api.AbstractSession.getDocument(AbstractSession.java:1020)
  	at sun.reflect.GeneratedMethodAccessor64.invoke(Unknown Source)
  	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  	at java.lang.reflect.Method.invoke(Method.java:606)
  	at org.nuxeo.ecm.core.api.TransactionalCoreSessionWrapper.invoke(TransactionalCoreSessionWrapper.java:131)
  	at com.sun.proxy.$Proxy63.getDocument(Unknown Source)
  	at org.nuxeo.drive.service.impl.AbstractFileSystemItemFactory.getDocumentById(AbstractFileSystemItemFactory.java:248)
  	at org.nuxeo.drive.service.impl.AbstractFileSystemItemFactory.getDocumentByFileSystemId(AbstractFileSystemItemFactory.java:202)
  	at org.nuxeo.drive.service.impl.AbstractFileSystemItemFactory.getFileSystemItemById(AbstractFileSystemItemFactory.java:155)
  	at org.nuxeo.drive.service.impl.FileSystemItemManagerImpl.getFileSystemItemById(FileSystemItemManagerImpl.java:136)
  	at org.nuxeo.drive.service.impl.FileSystemItemManagerImpl.createFile(FileSystemItemManagerImpl.java:210)
  	at org.nuxeo.drive.operations.NuxeoDriveCreateFile.run(NuxeoDriveCreateFile.java:72)
  	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
  	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  	at java.lang.reflect.Method.invoke(Method.java:606)
  	at org.nuxeo.ecm.automation.core.impl.InvokableMethod.doInvoke(InvokableMethod.java:137)
  	at org.nuxeo.ecm.automation.core.impl.InvokableMethod.invoke(InvokableMethod.java:143)
  	... 98 more
  

This is due to the inclusion of the ANONYMOUS_AUTH authentication plugin in the "Automation" specificAuthenticationChain, see https://github.com/nuxeo/nuxeo-platform-login/blob/master/nuxeo-platform-login-token/src/main/resources/OSGI-INF/token-authentication-contrib.xml:

    <specificAuthenticationChain name="Automation">
      <urlPatterns>
        <url>(.*)/automation.*</url>
      </urlPatterns>
      <replacementChain>
        <plugin>AUTOMATION_BASIC_AUTH</plugin>
        <plugin>TOKEN_AUTH</plugin>
        <plugin>ANONYMOUS_AUTH</plugin>
      </replacementChain>
    </specificAuthenticationChain>

and the base contribution https://github.com/nuxeo/nuxeo/blob/master/nuxeo-features/nuxeo-automation/nuxeo-automation-server/src/main/resources/OSGI-INF/auth-contrib.xml:

    <specificAuthenticationChain name="Automation">
        <urlPatterns>
            <url>(.*)/automation.*</url>
        </urlPatterns>

        <replacementChain>
            <plugin>AUTOMATION_BASIC_AUTH</plugin>
            <plugin>ANONYMOUS_AUTH</plugin>
        </replacementChain>
    </specificAuthenticationChain>