Manually requesting authentication

[plissken]

Hi,
I'm using typical Spring Security configuration. Everything works fine, but I'd like to manually request authentication by throwing AccessDeniedException in handleRequest method (in any AbstractController instance).

As you know my friends -> DispatcherServlet will handle this exception, and cut off it, so this exception won't be handled by ExceptionTranslationFilter.

Is any good way to say 'please authenticate this user' from web controller ??

Regards

Tom

[maheshguruswamy]

Hmm..if your resource (URL or method) is protected by spring security...all this will be automatically done by sping security..why do you want to do this manually?

[Luke Taylor]

Doesn't DispatcherServlet re-throw the exception (albeit nested in a ServletException)?

In this case ExceptionTranslationFilter should still extract the cause exception, and act on it, where it is a Spring Security authentication or access-denied exception.

Are you talking about a scenario where the user is already authenticated and you wish to re-authenticate them before allowing them to proceed further?

[plissken]

Hmm..if your resource (URL or method) is protected by spring security...all this will be automatically done by sping security..why do you want to do this manually?

So... because i've a region on website which is anonymous, and a region which must be processed only by authenticated users and I don't like to define any prefix for urls (like /secured/**)

[plissken]

Doesn't DispatcherServlet re-throw the exception (albeit nested in a ServletException)?

In this case ExceptionTranslationFilter should still extract the cause exception, and act on it, where it is a Spring Security authentication or access-denied exception.

Are you talking about a scenario where the user is already authenticated and you wish to re-authenticate them before allowing them to proceed further?

As i know DispatcherServlet re-throws when exceptionResolver doesn't return any View. In my scenario i've a method like this:

Code:

	public static String getRequiredUsername(HttpServletRequest request) {
		SecurityContext context = SecurityContextHolder.getContext();
		if (context == null) {
			throw new AccessDeniedException("authority context not found");
		}

		Authentication authentication = context.getAuthentication();
		if (authentication == null) {
			throw new AccessDeniedException("authority not found");
		}

		return authentication.getName();
	}

[Luke Taylor]

Please explain what actually happens. Do you get a stacktrace?

Incidentally, you don't need to check for a null SecurityContext, as SecurityContextHolder.getContext() will never return null.

[plissken]

Yes Here you are:

com.gigacube.security.web.LoggedUserInterceptor getUser 28
com.beyondgrave.web.SecurityTest handleRequest 17
org.springframework.web.servlet.mvc.SimpleControll erHandlerAdapter handle 48
com.gigacube.link.mvc.LinkableHandlerAdapter handle 46
org.springframework.web.servlet.DispatcherServlet doDispatch 771
org.springframework.web.servlet.DispatcherServlet doService 716
org.springframework.web.servlet.FrameworkServlet processRequest 647
org.springframework.web.servlet.FrameworkServlet doGet 552
javax.servlet.http.HttpServlet service 114
javax.servlet.http.HttpServlet service 91
com.caucho.server.dispatch.ServletFilterChain doFilter 103
org.springframework.web.filter.CharacterEncodingFi lter doFilterInternal 88
org.springframework.web.filter.OncePerRequestFilte r doFilter 76
com.caucho.server.dispatch.FilterFilterChain doFilter 87
org.springframework.orm.hibernate3.support.OpenSes sionInViewFilter doFilterInternal 198
org.springframework.web.filter.OncePerRequestFilte r doFilter 76
com.caucho.server.dispatch.FilterFilterChain doFilter 87
org.springframework.web.multipart.support.Multipar tFilter doFilterInternal 113
org.springframework.web.filter.OncePerRequestFilte r doFilter 76
com.caucho.server.dispatch.FilterFilterChain doFilter 87
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain doFilter 344
org.springframework.security.web.access.intercept. FilterSecurityInterceptor invoke 110
org.springframework.security.web.access.intercept. FilterSecurityInterceptor doFilter 84
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain doFilter 356
org.springframework.security.web.access.ExceptionT ranslationFilter doFilter 98
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain doFilter 356
org.springframework.security.web.authentication.lo gout.LogoutFilter doFilter 106
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain doFilter 356
org.springframework.security.web.session.Concurren tSessionFilter doFilter 108
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain doFilter 356
org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter doFilter 188
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain doFilter 356
org.springframework.security.web.context.SecurityC ontextPersistenceFilter doFilter 80
org.springframework.security.web.FilterChainProxy$ VirtualFilterChain doFilter 356
org.springframework.security.web.FilterChainProxy doFilter 150
org.springframework.web.filter.DelegatingFilterPro xy invokeDelegate 237
org.springframework.web.filter.DelegatingFilterPro xy doFilter 167
com.caucho.server.dispatch.FilterFilterChain doFilter 87
com.caucho.server.webapp.WebAppFilterChain doFilter 187
com.caucho.server.dispatch.ServletInvocation service 265
com.caucho.server.http.HttpRequest handleRequest 273
com.caucho.server.port.TcpConnection run 682
com.caucho.util.ThreadPool$Item runTasks 743
com.caucho.util.ThreadPool$Item run 662
java.lang.Thread run 619

[Luke Taylor]

The stacktrace doesn't include the exception. Please post the complete stacktrace, complete with the surrounding log entries.

[plissken]

Sorry, I've some troubles with printing stacktrace. But my issue equals to issue from this topic: http://forum.springsource.org/archiv...p/t-26874.html

At short: AuthenticationException is handled by exceptionResolver so dispatcherServlet handles it and generates an error page.

So... it's little strange that today is no clear solution to issue like this.

[plissken]

Below you'll find my exception resolver (working)

Code:

/**
 * AuthenticationAwareExceptionResolver
 * 
 * Project: Gigacube
 * Copyright (c) 2009 - 2010, Introde, All rights reserved.
 * 
 * @author Tomek
 */
package com.gigacube.security.web.servlet.handler;

import java.util.Properties;

import javax.servlet.http.HttpServletRequest;

import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.servlet.handler.SimpleMappingExceptionResolver;

public class AuthenticationAwareExceptionResolver extends SimpleMappingExceptionResolver {

	/* (non-Javadoc)
	 * @see org.springframework.web.servlet.handler.SimpleMappingExceptionResolver#setExceptionMappings(java.util.Properties)
	 * Fills exceptions mappings with AuthenticationCredentialsNotFoundException
	 */
	@Override
	public void setExceptionMappings(Properties mappings) {
		Assert.notNull(mappings);
		mappings.put(
				org.springframework.security.authentication.AuthenticationCredentialsNotFoundException.class
						.getCanonicalName(), "");
		super.setExceptionMappings(mappings);
	}

	
	/* (non-Javadoc)
	 * @see org.springframework.web.servlet.handler.SimpleMappingExceptionResolver#determineViewName(java.lang.Exception, javax.servlet.http.HttpServletRequest)
	 * Because Properties values can't be null we must manually return null
	 */
	@Override
	protected String determineViewName(Exception ex, HttpServletRequest request) {
		String viewName = super.determineViewName(ex, request);
		return StringUtils.hasText(viewName) ? viewName : null;
	}
}