Announcement Announcement Module
No announcement yet.
SAMLAuthenticationToken cannot be "authenticated" - why? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • SAMLAuthenticationToken cannot be "authenticated" - why?

    something that I probably miss, and maybe someone can spill some light.

    I saw that the SAMLAuthenticationProvider creates a new authentication token of type ExpiringUsernameAuthenticationToken. In my implementation, I created another type instead, something that extends SAMLAuthenticationToken (maybe I should not do so?).
    After I get the SAML-Response, I try to get to a protected resource in my SP. But I see that spring keeps blocking me, meaning I cannot get to that specific URL.
    SO I checked a bit and saw that the SAMLAuthenticationToken object that is created is not "authenticated", meaning the "authenticated" flag is set to false. So I tried to set it to true, by calling setAuthenticated(true). Then I figured out that the implementation there throws IllegalArgumentException. the docs say "This object can never be authenticated, call with true result in exception."

    Can anyone explain why this is the impl? why this token cannot be "authenticated"?

  • #2

    The SAMLAuthenticationToken is only meant for passing of the context between ProcessingFilter and AuthenticationProvider. It contains instance of SAMLMessageContext which is not serializable and is meant to be destroyed after usage.

    It's perfectly fine to customize the Authentication by overriding methods SAMLAuthenticationProvider, but you need to use a different implementation than SAMLAuthenticationToken.

    Vladimir Schafer