SecurityEnforcementFilter without Authentication Manager?

[Andreas Schildbach]

Hello everyone,

I'm trying to use a SecurityEnforcementFilter without an Authentication Manager. I'd like to just use the Authorization part. Is this possible?

My workflow:

My (legacy) application already has got a Login form (using Spring-Web's LoginFormController). On submit, I'm doing a custom authentication in my Business Service, though it implements AuthenticationProvider. I haven't got any AuthenticationManager.

After successful authentication, I put the AuthenticationToken into the ContextHolder, together with my domain user object. The HttpSessionIntegrationFilter copies the Token to the Session, in order to be available on the next request.

Theoretically it should be possible from this point on to authorize without authentication, because the authenticated token is already present. This would also be desired, as I don't need to re-authenticate on each request. If authentication should be missing (p.e. because of deep-linking), the correct HTTP error is to be returned to the user - I don't want to redirect to the login right now.

My problem is that you have to configure an AuthenticationManager and an AuthenticationEntryManager in the FilterSecurityInterceptor and its dependant components.

Best regards,

Andreas

[Ben Alex]

Sounds like you have a good grasp of what's going on. I'd encourage you to just write a very simple implementation of AuthenticationManager that tests whatever is on the ContextHolder. You might like to add a "key" to objects placed on the ContextHolder, and have your AuthenticationManager look for that "key", as we do with the AuthByAdapterProvider.