Results 1 to 3 of 3

Thread: Problem with custom AbstractPreAuthenticatedProcessingFilter

  1. Jan 6th, 2009, 03:44 AM #1
    byto
    byto is offline Junior Member
    Join Date
    Apr 2008
    Posts
    17

    Default Problem with custom AbstractPreAuthenticatedProcessingFilter

    Hi,

    I'm new to Spring Security 2.0.x. I've read through the documentation to get a first look how Spring Security works. Now I'm experimenting with PreAuth mechanisms.

    I want to implement a custom AbstractPreAuthenticatedProcessingFilter, so I can extract some information from the HttpServletRequest about the user principals. Then I want to invoke a custom service to get all the GrantedAuthorities and user details for the principal.

    I got in trouble setting up the configuration for this scenario. I get the following exception:

    Code:
    java.lang.IllegalArgumentException: Object of class [org.springframework.security.ui.WebAuthenticationDetails] must be an instance of interface org.springframework.security.GrantedAuthoritiesContainer
    Here is my configuration:

    Code:
    	<sec:http entry-point-ref="entryPoint">
		<sec:intercept-url pattern="/**" access="ROLE_USER" />
	</sec:http>
	
	<sec:authentication-manager alias="authenticationManager" />
	
	<bean id="b2bProcessingFilter" class="my.custom.security.B2bProcessingFilter">
		<sec:custom-filter position="PRE_AUTH_FILTER" />
		<property name="authenticationManager" ref="authenticationManager" />
	</bean>
	
	<bean id="b2bAuthenticationProvider" class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
		<sec:custom-authentication-provider />
		<property name="preAuthenticatedUserDetailsService" ref="b2bUserDetailsService" />
	</bean>
	
	<bean id="b2bUserDetailsService" class="my.custom.security.B2bUserDetailsService" />
	
	<bean id="entryPoint" class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
	
	
	<sec:global-method-security secured-annotations="enabled" />
    The exception is thrown after b2bProcessingFilter#getPreAuthenticatedCredentials () has been invoked but before the UserDetailsService is called.

    Am I missing something? Is my configuration wrong? Any hints?

    Thanks in advance...


    Edit:

    After taking a look into the spring sources I realized, that per default AbstractPreAuthenticatedProcessingFilter is using a WebAuthenticationDetailsSource which returns WebAuthenticationDetails objects. WebAuthenticationDetails does not implement GrantedAuthoritiesContainer, but PreAuthenticatedGrantedAuthoritiesWebAuthenticatio nDetails does.

    Do I have to manually configure a WebAuthenticationDetailsSource which return PreAuthenticatedGrantedAuthoritiesWebAuthenticatio nDetails objects? I'm a little bit confused because I thought that the AuthenticationProvider is resonsible to retrieve the GrantedAuthorities.
    In my case the GrantedAuthorities are not part of the Request. I have to invoke a service the get them in combination with the user details.
    Last edited by byto; Jan 6th, 2009 at 04:25 AM. Reason: further testing
  2. Jan 6th, 2009, 05:21 AM #2
    byto
    byto is offline Junior Member
    Join Date
    Apr 2008
    Posts
    17

    Default

    I finnally found the problem. The exception is thrown in my PreAuthenticatedGrantedAuthoritiesUserDetailsServi ce, when there's no GrantedAuthoritiesContainer available in the Authentication token.

    It seems that I can solve the problem by using AuthenticationUserDetailsService instead of a PreAuthenticatedGrantedAuthoritiesUserDetailsServi ce.
  3. Jul 9th, 2009, 10:46 AM #3
    Ryan Gardner
    Ryan Gardner is offline Member
    Join Date
    Feb 2008
    Location
    Vermont
    Posts
    32

    Default

    This is a strange one.

    There is the ability to set the credentials in your concrete extension of AbstractPreAuthenticatedProcessingFilter - but the credentials set there don't ever seem to be checked by the default PreAuthUserDetailsService

    I modified it like this:
    Code:
    public final UserDetails loadUserDetails(Authentication token) throws AuthenticationException {
		Assert.notNull(token.getDetails());
		GrantedAuthority[] authorities;
        
        if (token instanceof PreAuthenticatedAuthenticationToken) {
            Assert.isInstanceOf(GrantedAuthoritiesContainer.class, ((PreAuthenticatedAuthenticationToken)token).getCredentials());
            authorities =  ((GrantedAuthoritiesContainer)((PreAuthenticatedAuthenticationToken)token).getCredentials()).getGrantedAuthorities();
        }
        else {
           Assert.isInstanceOf(GrantedAuthoritiesContainer.class, token.getDetails());
           authorities = ((GrantedAuthoritiesContainer) token.getDetails()).getGrantedAuthorities();
        }

        UserDetails ud = createuserDetails(token, authorities);
		return ud;
	}
    So I can set the credentials in my preauth filter the way I want to.

    It's also strange that the GrantedAuthoritiesContainer interface is only on a few specific things - but there are plenty more objects that could satisfy that interface that don't have it applied to them.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules