Anonymous token after authentication

[sajitmk]

Hi,
I had to create a new thread because previous threads related to similar issues have all been closed.
My use case : I have a user registration page. I need to navigate to user dashboard page after registration.
After creating a new user in the database I do an authenticate the user, using the following code.

Code:

LoggedInUser principal = (LoggedInUser)getUserDetailsObject(user.getEmail());
		
		
		
		@SuppressWarnings("deprecation")
		Authentication authentication = new UsernamePasswordAuthenticationToken(principal,principal.getPassword(),principal.getGrantedAuthorities().toArray(new GrantedAuthority[principal.getGrantedAuthorities().size()]));
		authenticationManager.authenticate(authentication);
		log.debug("Authenticated new user using authentication manager " + "Set securityContext");
		SecurityContextHolder.getContext().setAuthentication(authentication);

However, when I re-direct to the dashboard page, I get an AccessDenied exception.

Code:

DEBUG: org.springframework.security.web.FilterChainProxy - /cms/user_dashboard at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@4c47f959. A new one will be created.
DEBUG: org.springframework.security.web.FilterChainProxy - /cms/user_dashboard at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /cms/user_dashboard at position 3 of 9 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /cms/user_dashboard at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /cms/user_dashboard at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /cms/user_dashboard at position 6 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG: org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: 3B279924288E9DA0114577F2AC4D88B8; Granted Authorities: ROLE_ANONYMOUS'
DEBUG: org.springframework.security.web.FilterChainProxy - /cms/user_dashboard at position 7 of 9 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /cms/user_dashboard at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /cms/user_dashboard at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG: org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource - Converted URL to lowercase, from: '/cms/user_dashboard'; to: '/cms/user_dashboard'
DEBUG: org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource - Candidate is: '/cms/user_dashboard'; pattern is /cms/**; matched=true
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /cms/user_dashboard; Attributes: [isAuthenticated()]
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: 3B279924288E9DA0114577F2AC4D88B8; Granted Authorities: ROLE_ANONYMOUS
DEBUG: org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@782febac, returned: -1
DEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at com.springsource.insight.collection.tcserver.request.HttpRequestOperationCollectionValve.traceNextValve(HttpRequestOperationCollectionValve.java:92)
	at com.springsource.insight.collection.tcserver.request.HttpRequestOperationCollectionValve.invoke(HttpRequestOperationCollectionValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:409)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:680)

Could you please tell me what is wrong here? Why are we getting a token like Previously Authenticated: org.springframework.security.authentication.Anonym ousAuthenticationToken@905571d8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: 3B279924288E9DA0114577F2AC4D88B8; Granted Authorities: ROLE_ANONYMOUS

despite doing authentication?

I can confirm that the userDetailsObject that is used to create the AuthenticationToken has GrantedAuthority = IS_AUTHENTICATED_FULLY

[michaelf]

Hi!
Please note that after an authentication an authenticationManager returns a fully authenticated object.
Please modify your code:

Code:

Authentication authentication = new UsernamePasswordAuthenticationToken(principal,principal.getPassword(),principal.getGrantedAuthorities().toArray(new GrantedAuthority[principal.getGrantedAuthorities().size()]));
Authentication authenticationResult = authenticationManager.authenticate(authentication);
log.debug("Authenticated new user using authentication manager " + "Set securityContext");
SecurityContextHolder.getContext().setAuthentication(authenticationResult);

[Rob Winch]

If you already know the user is authenticated (i.e. the user just created the account) there is no need to use the AuthenticationManager. Just ensure that you set an Authentication on the SecurityContext that returns true for isAuthenticated and contains the necessary roles for authorization. The other thing to ensure is that the SecurityContextPersistenceFilter is invoked on the URL that you set the SecurityContext (i.e. do NOT use filters=none instead use access=permitAll). One trick to ensure the SecurityContextPersistenceFilter is being invoked on the URL is to add a debug point to where the SecurityContext is set and ensure that you see the SecurityContextPersistenceFilter is in the stacktrace.

[sajitmk]

Thank you for your help Rob and Michael.

That was the issue, I had given filter=none.

Appreciate your replies once again.