Announcement Announcement Module
No announcement yet.
Remember Me vs. Anonymous Authentication Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Remember Me vs. Anonymous Authentication


    I think I'm looking for something that combines elements of both authentication approaches.

    I want to use the Remember Me form of authentication if the user has so elected, but I want their privileges to be weaker than if they have performed a form-based authentication.

    In reading about Anonymous authentication, I noticed that it routes forbidden responses to the form-based authentication. I was wondering if there was a way to somehow get this same behavior for the Remember Me authentication.

    It appears that the Remember Me authentication approach is meant to authenticate fully which is not quite what I'm looking for. My example scenario enables remember me authenticated users to access non-sensitive use cases, but forces form-based authentication to access sensitive uses (e.g. profile updates).

    Is there a way to do what I'm looking to do with the existing framework?


  • #2
    The current design should meet your needs.

    Remember-me and anonymous authentication both perform "full" authentication.

    Where it gets interesting is AuthenticationTrustResolver can identify these two special types of "less secure" authentication:

    public interface AuthenticationTrustResolver {
        public boolean isAnonymous(Authentication authentication);
        public boolean isRememberMe(Authentication authentication);
    As such your AccessDecisionVoter can have a reference to the AuthenticationTrustResolver implementation and can consider the level of authentication. The AccessDecisionManager can chose to throw AccessDeniedException (to reject access irrespective of the level of authentication) OR InsufficientAuthenticationException (noting that it requires a non-anonymous and/or non-remember-me authentication to be used). SecurityEnforcementFilter picks up an InsuficientAuthenticationException and launches AuthenticationEntryPoint. Thus, the principal is given a chance to authenticate interactively.

    Hope this clarifies how it works.


    • #3

      Thanks very much for your reply. I had not fully understood the AuthenticationTrustResolver before. It definitely has the hooks I need -- many thanks for a great design and implementation.