Announcement Announcement Module
No announcement yet.
Problem with custom AbstractPreAuthenticatedProcessingFilter Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with custom AbstractPreAuthenticatedProcessingFilter


    I'm new to Spring Security 2.0.x. I've read through the documentation to get a first look how Spring Security works. Now I'm experimenting with PreAuth mechanisms.

    I want to implement a custom AbstractPreAuthenticatedProcessingFilter, so I can extract some information from the HttpServletRequest about the user principals. Then I want to invoke a custom service to get all the GrantedAuthorities and user details for the principal.

    I got in trouble setting up the configuration for this scenario. I get the following exception:

    java.lang.IllegalArgumentException: Object of class [] must be an instance of interface
    Here is my configuration:

    	<sec:http entry-point-ref="entryPoint">
    		<sec:intercept-url pattern="/**" access="ROLE_USER" />
    	<sec:authentication-manager alias="authenticationManager" />
    	<bean id="b2bProcessingFilter" class="">
    		<sec:custom-filter position="PRE_AUTH_FILTER" />
    		<property name="authenticationManager" ref="authenticationManager" />
    	<bean id="b2bAuthenticationProvider" class="">
    		<sec:custom-authentication-provider />
    		<property name="preAuthenticatedUserDetailsService" ref="b2bUserDetailsService" />
    	<bean id="b2bUserDetailsService" class="" />
    	<bean id="entryPoint" class="" />
    	<sec:global-method-security secured-annotations="enabled" />
    The exception is thrown after b2bProcessingFilter#getPreAuthenticatedCredentials () has been invoked but before the UserDetailsService is called.

    Am I missing something? Is my configuration wrong? Any hints?

    Thanks in advance...


    After taking a look into the spring sources I realized, that per default AbstractPreAuthenticatedProcessingFilter is using a WebAuthenticationDetailsSource which returns WebAuthenticationDetails objects. WebAuthenticationDetails does not implement GrantedAuthoritiesContainer, but PreAuthenticatedGrantedAuthoritiesWebAuthenticatio nDetails does.

    Do I have to manually configure a WebAuthenticationDetailsSource which return PreAuthenticatedGrantedAuthoritiesWebAuthenticatio nDetails objects? I'm a little bit confused because I thought that the AuthenticationProvider is resonsible to retrieve the GrantedAuthorities.
    In my case the GrantedAuthorities are not part of the Request. I have to invoke a service the get them in combination with the user details.
    Last edited by byto; Jan 6th, 2009, 04:25 AM. Reason: further testing

  • #2
    I finnally found the problem. The exception is thrown in my PreAuthenticatedGrantedAuthoritiesUserDetailsServi ce, when there's no GrantedAuthoritiesContainer available in the Authentication token.

    It seems that I can solve the problem by using AuthenticationUserDetailsService instead of a PreAuthenticatedGrantedAuthoritiesUserDetailsServi ce.


    • #3
      This is a strange one.

      There is the ability to set the credentials in your concrete extension of AbstractPreAuthenticatedProcessingFilter - but the credentials set there don't ever seem to be checked by the default PreAuthUserDetailsService

      I modified it like this:
      public final UserDetails loadUserDetails(Authentication token) throws AuthenticationException {
      		GrantedAuthority[] authorities;
              if (token instanceof PreAuthenticatedAuthenticationToken) {
                  Assert.isInstanceOf(GrantedAuthoritiesContainer.class, ((PreAuthenticatedAuthenticationToken)token).getCredentials());
                  authorities =  ((GrantedAuthoritiesContainer)((PreAuthenticatedAuthenticationToken)token).getCredentials()).getGrantedAuthorities();
              else {
                 Assert.isInstanceOf(GrantedAuthoritiesContainer.class, token.getDetails());
                 authorities = ((GrantedAuthoritiesContainer) token.getDetails()).getGrantedAuthorities();
              UserDetails ud = createuserDetails(token, authorities);
      		return ud;
      So I can set the credentials in my preauth filter the way I want to.

      It's also strange that the GrantedAuthoritiesContainer interface is only on a few specific things - but there are plenty more objects that could satisfy that interface that don't have it applied to them.