44335

Spring security. Cannot permit request in custom fiter

Question:

I need to implement authorization with a specific header (say "sessionId") and secure all uri's except one.

I extended OncePerRequestFilter and implemented custom AuthenticationProvider to check if sessionId is valid (as well as custom Token class etc).

How it works now: for <strong>any</strong> uri it immediately jumps to AuthSessionAuthenticationProvider's authenticate method right after AuthSessionFilter is applied and returns 403 if header sessionId isn't specified. But I want some uri's to allow access without that header.

It all together:

config:

@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers(permittedUris).permitAll() .anyRequest().authenticated() .and().exceptionHandling().accessDeniedHandler(new AuthSessionAccessDeniedHandler()) .and().addFilterBefore(new AuthSessionFilter(), BasicAuthenticationFilter.class); }

Filter:

public class AuthSessionFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { Authentication auth = new AuthSessionToken(request.getHeader("sessionId")); SecurityContextHolder.getContext().setAuthentication(auth); filterChain.doFilter(request, response); } }

Provider:

public class AuthSessionAuthenticationProvider implements AuthenticationProvider { //... @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { AuthSessionToken token = (AuthSessionToken) authentication; if (token.getSessionId() == null) { throw new AccessDeniedException("Missing header sessionId"); } AuthSessionAuthorities user = authSessionService.getUserAuthoritiesToken(token.getSessionId()); if (user == null) { throw new AccessDeniedException("Session ID invalid: " + token.getSessionId()); } token.setAuthenticatedUser(user); return token; } //... }

Answer1:

I found more elegant solution that was developed exactly for that purpose. It's a RequestHeaderAuthenticationFilter. And then antMatchers works as expected. The initial configuration looks like this:

@Bean @SneakyThrows public RequestHeaderAuthenticationFilter preAuthenticationFilter() { RequestHeaderAuthenticationFilter preAuthenticationFilter = new RequestHeaderAuthenticationFilter(); preAuthenticationFilter.setPrincipalRequestHeader(SESSION_ID); preAuthenticationFilter.setCredentialsRequestHeader(SESSION_ID); preAuthenticationFilter.setExceptionIfHeaderMissing(false); preAuthenticationFilter.setContinueFilterChainOnUnsuccessfulAuthentication(true); preAuthenticationFilter.setAuthenticationManager(authenticationManager()); return preAuthenticationFilter; }

Recommend

  • Spring boot and Security: accessing secured URL from android app.
  • Spring Security Blocking public rest service
  • Is it necessary to protect JAX-RS requests against CSRF?
  • Spring security loadByUsername's username field is empty
  • Spring security - encoded password gives me Bad Credentials
  • How to send dynamic data from one activity to another in android
  • How to configure the remote discovery with Spring Security SAML?
  • How to add Spring WebSecurityConfig to an existing project
  • Get Next Jsoup Element with Same Name Android
  • Redirecting to original page after successful login returns raw data instead of URL name
  • Convert Jsoup element to string
  • Spring Security Login issue
  • AudioKit: Noise gate
  • Accessing IP restricted URI from Azure function (powershell)
  • How to create the new target in Xcode for app extension using CMake?
  • Unable to autowire custom UserDetails
  • Is it mandatory to have a doGet or doPost method?
  • Authentication failed with Azure Active Directory in Windows Phone
  • Creating Java object from class name with constructor, which contains parameters [duplicate]
  • How to use RequestBodyAdvice
  • Why is an OPTIONS request sent to the server?
  • Pass value from viewmodel to script in zk
  • Why ng-show works with ng-repeat but ng-if doesn't? [duplicate]
  • Array.prototype.includes - not transformed with babel
  • Optimizing database types to compact database (SQLite)
  • How do I fake an specific browser client when using Java's Net library?
  • How to convert from System.Drawing.Color to Excel.ColorFormat in C#? Change comment color
  • javascript inside java/jsp code
  • Alternatives to the OPTIONAL fallback SPARQL pattern?
  • Do I've to free mysql result after storing it?
  • QuartzCore.framework for Mono Develop
  • Python - Map / Reduce - How do I read JSON specific field in using DISCO count words example
  • Warning: Can't call setState (or forceUpdate) on an unmounted component
  • bootstrap to use multiple ng-app
  • How to get icons for entities from eclipse?
  • Android Studio and gradle
  • Turn off referential integrity in Derby? is it possible?
  • IndexOutOfRangeException on multidimensional array despite using GetLength check
  • JaxB to read class hierarchy
  • How can i traverse a binary tree from right to left in java?