Announcement Announcement Module
Collapse
No announcement yet.
Manually requesting authentication Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Manually requesting authentication

    Hi,
    I'm using typical Spring Security configuration. Everything works fine, but I'd like to manually request authentication by throwing AccessDeniedException in handleRequest method (in any AbstractController instance).

    As you know my friends -> DispatcherServlet will handle this exception, and cut off it, so this exception won't be handled by ExceptionTranslationFilter.

    Is any good way to say 'please authenticate this user' from web controller ??

    Regards

    Tom

  • #2
    Hmm..if your resource (URL or method) is protected by spring security...all this will be automatically done by sping security..why do you want to do this manually?

    Comment


    • #3
      Doesn't DispatcherServlet re-throw the exception (albeit nested in a ServletException)?

      In this case ExceptionTranslationFilter should still extract the cause exception, and act on it, where it is a Spring Security authentication or access-denied exception.

      Are you talking about a scenario where the user is already authenticated and you wish to re-authenticate them before allowing them to proceed further?
      Last edited by Luke Taylor; Jun 3rd, 2010, 02:45 PM.

      Comment


      • #4
        Originally posted by maheshguruswamy View Post
        Hmm..if your resource (URL or method) is protected by spring security...all this will be automatically done by sping security..why do you want to do this manually?
        So... because i've a region on website which is anonymous, and a region which must be processed only by authenticated users and I don't like to define any prefix for urls (like /secured/**)

        Comment


        • #5
          Originally posted by Luke Taylor View Post
          Doesn't DispatcherServlet re-throw the exception (albeit nested in a ServletException)?

          In this case ExceptionTranslationFilter should still extract the cause exception, and act on it, where it is a Spring Security authentication or access-denied exception.

          Are you talking about a scenario where the user is already authenticated and you wish to re-authenticate them before allowing them to proceed further?
          As i know DispatcherServlet re-throws when exceptionResolver doesn't return any View. In my scenario i've a method like this:

          Code:
          	public static String getRequiredUsername(HttpServletRequest request) {
          		SecurityContext context = SecurityContextHolder.getContext();
          		if (context == null) {
          			throw new AccessDeniedException("authority context not found");
          		}
          
          		Authentication authentication = context.getAuthentication();
          		if (authentication == null) {
          			throw new AccessDeniedException("authority not found");
          		}
          
          		return authentication.getName();
          	}

          Comment


          • #6
            Please explain what actually happens. Do you get a stacktrace?

            Incidentally, you don't need to check for a null SecurityContext, as SecurityContextHolder.getContext() will never return null.

            Comment


            • #7
              Yes Here you are:

              com.gigacube.security.web.LoggedUserInterceptor getUser 28
              com.beyondgrave.web.SecurityTest handleRequest 17
              org.springframework.web.servlet.mvc.SimpleControll erHandlerAdapter handle 48

              com.gigacube.link.mvc.LinkableHandlerAdapter handle 46
              org.springframework.web.servlet.DispatcherServlet doDispatch 771
              org.springframework.web.servlet.DispatcherServlet doService 716
              org.springframework.web.servlet.FrameworkServlet processRequest 647
              org.springframework.web.servlet.FrameworkServlet doGet 552
              javax.servlet.http.HttpServlet service 114
              javax.servlet.http.HttpServlet service 91
              com.caucho.server.dispatch.ServletFilterChain doFilter 103
              org.springframework.web.filter.CharacterEncodingFi lter doFilterInternal 88
              org.springframework.web.filter.OncePerRequestFilte r doFilter 76
              com.caucho.server.dispatch.FilterFilterChain doFilter 87
              org.springframework.orm.hibernate3.support.OpenSes sionInViewFilter doFilterInternal 198
              org.springframework.web.filter.OncePerRequestFilte r doFilter 76
              com.caucho.server.dispatch.FilterFilterChain doFilter 87
              org.springframework.web.multipart.support.Multipar tFilter doFilterInternal 113
              org.springframework.web.filter.OncePerRequestFilte r doFilter 76
              com.caucho.server.dispatch.FilterFilterChain doFilter 87
              org.springframework.security.web.FilterChainProxy$ VirtualFilterChain doFilter 344
              org.springframework.security.web.access.intercept. FilterSecurityInterceptor invoke 110
              org.springframework.security.web.access.intercept. FilterSecurityInterceptor doFilter 84
              org.springframework.security.web.FilterChainProxy$ VirtualFilterChain doFilter 356
              org.springframework.security.web.access.ExceptionT ranslationFilter doFilter 98
              org.springframework.security.web.FilterChainProxy$ VirtualFilterChain doFilter 356
              org.springframework.security.web.authentication.lo gout.LogoutFilter doFilter 106
              org.springframework.security.web.FilterChainProxy$ VirtualFilterChain doFilter 356
              org.springframework.security.web.session.Concurren tSessionFilter doFilter 108
              org.springframework.security.web.FilterChainProxy$ VirtualFilterChain doFilter 356
              org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter doFilter 188
              org.springframework.security.web.FilterChainProxy$ VirtualFilterChain doFilter 356
              org.springframework.security.web.context.SecurityC ontextPersistenceFilter doFilter 80
              org.springframework.security.web.FilterChainProxy$ VirtualFilterChain doFilter 356
              org.springframework.security.web.FilterChainProxy doFilter 150
              org.springframework.web.filter.DelegatingFilterPro xy invokeDelegate 237
              org.springframework.web.filter.DelegatingFilterPro xy doFilter 167
              com.caucho.server.dispatch.FilterFilterChain doFilter 87
              com.caucho.server.webapp.WebAppFilterChain doFilter 187
              com.caucho.server.dispatch.ServletInvocation service 265
              com.caucho.server.http.HttpRequest handleRequest 273
              com.caucho.server.port.TcpConnection run 682
              com.caucho.util.ThreadPool$Item runTasks 743
              com.caucho.util.ThreadPool$Item run 662
              java.lang.Thread run 619

              Comment


              • #8
                The stacktrace doesn't include the exception. Please post the complete stacktrace, complete with the surrounding log entries.

                Comment


                • #9
                  Sorry, I've some troubles with printing stacktrace. But my issue equals to issue from this topic: http://forum.springsource.org/archiv...p/t-26874.html

                  At short: AuthenticationException is handled by exceptionResolver so dispatcherServlet handles it and generates an error page.

                  So... it's little strange that today is no clear solution to issue like this.

                  Comment


                  • #10
                    Below you'll find my exception resolver (working)

                    Code:
                    /**
                     * AuthenticationAwareExceptionResolver
                     * 
                     * Project: Gigacube
                     * Copyright (c) 2009 - 2010, Introde, All rights reserved.
                     * 
                     * @author Tomek
                     */
                    package com.gigacube.security.web.servlet.handler;
                    
                    import java.util.Properties;
                    
                    import javax.servlet.http.HttpServletRequest;
                    
                    import org.springframework.util.Assert;
                    import org.springframework.util.StringUtils;
                    import org.springframework.web.servlet.handler.SimpleMappingExceptionResolver;
                    
                    public class AuthenticationAwareExceptionResolver extends SimpleMappingExceptionResolver {
                    
                    	/* (non-Javadoc)
                    	 * @see org.springframework.web.servlet.handler.SimpleMappingExceptionResolver#setExceptionMappings(java.util.Properties)
                    	 * Fills exceptions mappings with AuthenticationCredentialsNotFoundException
                    	 */
                    	@Override
                    	public void setExceptionMappings(Properties mappings) {
                    		Assert.notNull(mappings);
                    		mappings.put(
                    				org.springframework.security.authentication.AuthenticationCredentialsNotFoundException.class
                    						.getCanonicalName(), "");
                    		super.setExceptionMappings(mappings);
                    	}
                    
                    	
                    	/* (non-Javadoc)
                    	 * @see org.springframework.web.servlet.handler.SimpleMappingExceptionResolver#determineViewName(java.lang.Exception, javax.servlet.http.HttpServletRequest)
                    	 * Because Properties values can't be null we must manually return null
                    	 */
                    	@Override
                    	protected String determineViewName(Exception ex, HttpServletRequest request) {
                    		String viewName = super.determineViewName(ex, request);
                    		return StringUtils.hasText(viewName) ? viewName : null;
                    	}
                    }

                    Comment


                    • #11
                      The sample applications use Spring MVC and DispatcherServlet and do not have a problem with throwing AccessDeniedException (from secured methods, for example). You'll need to clarify exactly what you're doing that's causing the issue before we can suggest a solution.

                      Comment

                      Working...
                      X