Announcement Announcement Module
Collapse
No announcement yet.
Problem with custom AbstractPreAuthenticatedProcessingFilter Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with custom AbstractPreAuthenticatedProcessingFilter

    Hi,

    I'm new to Spring Security 2.0.x. I've read through the documentation to get a first look how Spring Security works. Now I'm experimenting with PreAuth mechanisms.

    I want to implement a custom AbstractPreAuthenticatedProcessingFilter, so I can extract some information from the HttpServletRequest about the user principals. Then I want to invoke a custom service to get all the GrantedAuthorities and user details for the principal.

    I got in trouble setting up the configuration for this scenario. I get the following exception:

    Code:
    java.lang.IllegalArgumentException: Object of class [org.springframework.security.ui.WebAuthenticationDetails] must be an instance of interface org.springframework.security.GrantedAuthoritiesContainer
    Here is my configuration:

    Code:
    	<sec:http entry-point-ref="entryPoint">
    		<sec:intercept-url pattern="/**" access="ROLE_USER" />
    	</sec:http>
    	
    	<sec:authentication-manager alias="authenticationManager" />
    	
    	<bean id="b2bProcessingFilter" class="my.custom.security.B2bProcessingFilter">
    		<sec:custom-filter position="PRE_AUTH_FILTER" />
    		<property name="authenticationManager" ref="authenticationManager" />
    	</bean>
    	
    	<bean id="b2bAuthenticationProvider" class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
    		<sec:custom-authentication-provider />
    		<property name="preAuthenticatedUserDetailsService" ref="b2bUserDetailsService" />
    	</bean>
    	
    	<bean id="b2bUserDetailsService" class="my.custom.security.B2bUserDetailsService" />
    	
    	<bean id="entryPoint" class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
    	
    	
    	<sec:global-method-security secured-annotations="enabled" />
    The exception is thrown after b2bProcessingFilter#getPreAuthenticatedCredentials () has been invoked but before the UserDetailsService is called.

    Am I missing something? Is my configuration wrong? Any hints?

    Thanks in advance...


    Edit:

    After taking a look into the spring sources I realized, that per default AbstractPreAuthenticatedProcessingFilter is using a WebAuthenticationDetailsSource which returns WebAuthenticationDetails objects. WebAuthenticationDetails does not implement GrantedAuthoritiesContainer, but PreAuthenticatedGrantedAuthoritiesWebAuthenticatio nDetails does.

    Do I have to manually configure a WebAuthenticationDetailsSource which return PreAuthenticatedGrantedAuthoritiesWebAuthenticatio nDetails objects? I'm a little bit confused because I thought that the AuthenticationProvider is resonsible to retrieve the GrantedAuthorities.
    In my case the GrantedAuthorities are not part of the Request. I have to invoke a service the get them in combination with the user details.
    Last edited by byto; Jan 6th, 2009, 05:25 AM. Reason: further testing

  • #2
    I finnally found the problem. The exception is thrown in my PreAuthenticatedGrantedAuthoritiesUserDetailsServi ce, when there's no GrantedAuthoritiesContainer available in the Authentication token.

    It seems that I can solve the problem by using AuthenticationUserDetailsService instead of a PreAuthenticatedGrantedAuthoritiesUserDetailsServi ce.

    Comment


    • #3
      This is a strange one.

      There is the ability to set the credentials in your concrete extension of AbstractPreAuthenticatedProcessingFilter - but the credentials set there don't ever seem to be checked by the default PreAuthUserDetailsService

      I modified it like this:
      Code:
      public final UserDetails loadUserDetails(Authentication token) throws AuthenticationException {
      		Assert.notNull(token.getDetails());
      		GrantedAuthority[] authorities;
              
              if (token instanceof PreAuthenticatedAuthenticationToken) {
                  Assert.isInstanceOf(GrantedAuthoritiesContainer.class, ((PreAuthenticatedAuthenticationToken)token).getCredentials());
                  authorities =  ((GrantedAuthoritiesContainer)((PreAuthenticatedAuthenticationToken)token).getCredentials()).getGrantedAuthorities();
              }
              else {
                 Assert.isInstanceOf(GrantedAuthoritiesContainer.class, token.getDetails());
                 authorities = ((GrantedAuthoritiesContainer) token.getDetails()).getGrantedAuthorities();
              }
      
              UserDetails ud = createuserDetails(token, authorities);
      		return ud;
      	}
      So I can set the credentials in my preauth filter the way I want to.

      It's also strange that the GrantedAuthoritiesContainer interface is only on a few specific things - but there are plenty more objects that could satisfy that interface that don't have it applied to them.

      Comment

      Working...
      X