44335

Spring security. Cannot permit request in custom fiter

Developer FAQ 4

Question:

I need to implement authorization with a specific header (say "sessionId") and secure all uri's except one.

I extended OncePerRequestFilter and implemented custom AuthenticationProvider to check if sessionId is valid (as well as custom Token class etc).

How it works now: for <strong>any</strong> uri it immediately jumps to AuthSessionAuthenticationProvider's authenticate method right after AuthSessionFilter is applied and returns 403 if header sessionId isn't specified. But I want some uri's to allow access without that header.

It all together:

config:

@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers(permittedUris).permitAll() .anyRequest().authenticated() .and().exceptionHandling().accessDeniedHandler(new AuthSessionAccessDeniedHandler()) .and().addFilterBefore(new AuthSessionFilter(), BasicAuthenticationFilter.class); }

Filter:

public class AuthSessionFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { Authentication auth = new AuthSessionToken(request.getHeader("sessionId")); SecurityContextHolder.getContext().setAuthentication(auth); filterChain.doFilter(request, response); } }

Provider:

public class AuthSessionAuthenticationProvider implements AuthenticationProvider { //... @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { AuthSessionToken token = (AuthSessionToken) authentication; if (token.getSessionId() == null) { throw new AccessDeniedException("Missing header sessionId"); } AuthSessionAuthorities user = authSessionService.getUserAuthoritiesToken(token.getSessionId()); if (user == null) { throw new AccessDeniedException("Session ID invalid: " + token.getSessionId()); } token.setAuthenticatedUser(user); return token; } //... }

Answer1:

I found more elegant solution that was developed exactly for that purpose. It's a RequestHeaderAuthenticationFilter. And then antMatchers works as expected. The initial configuration looks like this:

@Bean @SneakyThrows public RequestHeaderAuthenticationFilter preAuthenticationFilter() { RequestHeaderAuthenticationFilter preAuthenticationFilter = new RequestHeaderAuthenticationFilter(); preAuthenticationFilter.setPrincipalRequestHeader(SESSION_ID); preAuthenticationFilter.setCredentialsRequestHeader(SESSION_ID); preAuthenticationFilter.setExceptionIfHeaderMissing(false); preAuthenticationFilter.setContinueFilterChainOnUnsuccessfulAuthentication(true); preAuthenticationFilter.setAuthenticationManager(authenticationManager()); return preAuthenticationFilter; }

Similar

Exception Using PayPal-PHP-SDK [Http response code 400]

Exception Using PayPal-PHP-SDK [Http response code 400]

hooking another program's calls to winapi functions in vb.net

hooking another program's calls to winapi functions in vb.net

How to execute the command after sudo su

How to execute the command after sudo su

Firing touchesBegan on a MKMapView with VoiceOver enabled

Firing touchesBegan on a MKMapView with VoiceOver enabled

UIButton image doesn't change when tapped

UIButton image doesn't change when tapped

How to cache the list of entires based on its primary key using spring caching

How to cache the list of entires based on its primary key using spring caching

How do I make a grid of empty lists in numpy that 'accepts' appending?

How do I make a grid of empty lists in numpy that 'accepts' appending?

Two tables relation with sfDoctrineGuard user table (symfony)

Two tables relation with sfDoctrineGuard user table (symfony)

Sharing IdentityServer between multiple apps

Sharing IdentityServer between multiple apps

Parsing JSON Github API - Django 1.8

Parsing JSON Github API - Django 1.8

kafka-streams join produce duplicates

kafka-streams join produce duplicates

Math operations from a list [duplicate]

Math operations from a list [duplicate]

download and save zip file to iphone

download and save zip file to iphone

display: flex not working in CSS

display: flex not working in CSS

Using semaphore to control number of threads

Using semaphore to control number of threads

Merging two XML files with XSLT

Merging two XML files with XSLT

CListCtrl is not creating groups

CListCtrl is not creating groups

finding gappy sublists within a larger list

finding gappy sublists within a larger list

StormCrawler: Timeout waiting for connection from pool

StormCrawler: Timeout waiting for connection from pool

NSRunLoop cancelPerformSelectorsWithTarget's not working

NSRunLoop cancelPerformSelectorsWithTarget's not working

Draggable, on Google AppMaker

Draggable, on Google AppMaker

Developer FAQ 4

Goback Developer FAQ 4

Recommend

  • Spring boot and Security: accessing secured URL from android app.
  • Spring Security Blocking public rest service
  • Is it necessary to protect JAX-RS requests against CSRF?
  • Spring security loadByUsername's username field is empty
  • Spring security - encoded password gives me Bad Credentials
  • How to send dynamic data from one activity to another in android
  • How to configure the remote discovery with Spring Security SAML?
  • How to add Spring WebSecurityConfig to an existing project
  • Get Next Jsoup Element with Same Name Android
  • Redirecting to original page after successful login returns raw data instead of URL name
  • Convert Jsoup element to string
  • Spring Security Login issue
  • AudioKit: Noise gate
  • Accessing IP restricted URI from Azure function (powershell)
  • How to create the new target in Xcode for app extension using CMake?
  • Unable to autowire custom UserDetails
  • Is it mandatory to have a doGet or doPost method?
  • Authentication failed with Azure Active Directory in Windows Phone
  • Creating Java object from class name with constructor, which contains parameters [duplicate]
  • How to use RequestBodyAdvice
  • Why is an OPTIONS request sent to the server?
  • Pass value from viewmodel to script in zk
  • Why ng-show works with ng-repeat but ng-if doesn't? [duplicate]
  • Array.prototype.includes - not transformed with babel
  • Optimizing database types to compact database (SQLite)
  • How do I fake an specific browser client when using Java's Net library?
  • How to convert from System.Drawing.Color to Excel.ColorFormat in C#? Change comment color
  • javascript inside java/jsp code
  • Alternatives to the OPTIONAL fallback SPARQL pattern?
  • Do I've to free mysql result after storing it?
  • QuartzCore.framework for Mono Develop
  • Python - Map / Reduce - How do I read JSON specific field in using DISCO count words example
  • Warning: Can't call setState (or forceUpdate) on an unmounted component
  • bootstrap to use multiple ng-app
  • How to get icons for entities from eclipse?
  • Android Studio and gradle
  • Turn off referential integrity in Derby? is it possible?
  • IndexOutOfRangeException on multidimensional array despite using GetLength check
  • JaxB to read class hierarchy
  • How can i traverse a binary tree from right to left in java?