How can I pass request specific information to an AuthenticationProvider from a Filter without creating a custom Authentication ?
The AuthenticationProvider signature is as below:
interface AuthenticationProvider {
Authentication authenticate(Authentication authentication);
}
I'm thinking something similar to the static SecurityContextHolder.getContext().getAuthentication() but with request specific information.
Background
The reason I want it is because I want to implement a switching authentication provider that delegates in runtime to another AuthenticationProvider
public class SwitchingAuthenticationProvider implements AuthenticationProvider {
private AuthenticationProvider[] authProviders = // ...
#Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
return authProvider[GetCurrentContext.getIndex()].authenticate(authentication);
}
}
You can provide your own implementation of AuthenticationEntryPoint which have access to HttpServletRequest. In AuthenticationEntryPoint implementation put all attribute that you need in your switching AuthenticationProvider, in RequestContextHolder as given below
RequestContextHolder.currentRequestAttributes().setAttribute(attributeName, attibuteValue, scope);
At the end you can retrieve these attribute in your authentication provider as given below
RequestContextHolder.currentRequestAttributes().getAttribute(attributeName,scope);
Related
I am working on a spring boot app where I am adding a custom filter and adding method addFilterBefore.
This is my config configure method:
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.cors().and().authorizeRequests()
.anyRequest().authenticated();
http.addFilterBefore(btoBSecurityFilter,UsernamePasswordAuthenticationFilter.class);
http.httpBasic();
}
Here's my Custom Filter:
#Component
public class BtoBSecurityFilter extends OncePerRequestFilter {
#Override
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
//I dont want to use this as I dont want to use UsernamePasswordAuthenticationFilter.
SecurityContextHolder.getContext().setAuthentication(getAuthentication(7312L,"tokenlelo"));
filterChain.doFilter(httpServletRequest,httpServletResponse);
logger.info("hey aaya");
}
// dont want to use this.
public Authentication getAuthentication(Long userId, String token) {
UserDetails userDetails = org.springframework.security.core.userdetails.User
.withUsername("")
.password("")
.build();
return new UsernamePasswordAuthenticationToken("", "", userDetails.getAuthorities());
}
}
Now the above code works but I dont want the UsernamePasswordAuthenticationFilter to happen in my case and I just want my customFilter to filter out requests for me.
How can I do this? I am not able to use addFilter method as it gives order errors.
I just want my custom filter to run and dont want SecurityContext to set or save anything.
Can someone help me with this?
Usage of UsernamePasswordAuthenticationToken doesn't guarantee that UsernamePasswordAuthenticationFilter will filter your request.
If you look at source code (using your IDEA or github), especially at AbstractAuthenticationProcessingFilter method boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response), and at UsernamePasswordAuthenticationFilter constructors, you'll see that UsernamePasswordAuthenticationFilter only filters requests which match the authentication request (default is POST-request to "/login").
As you set your custom filter before UsernamePasswordAuthenticationFilter, this filter will be invoked anyway after your custom filter, unless you skip filterChain.doFilter(httpServletRequest,httpServletResponse) method in your custom filter code.
But, as I said before, it doesn't mean UsernamePasswordAuthenticationFilter will filter your request.
So, it doesn't depend on using UsernamePasswordAuthenticationToken.
UsernamePasswordAuthenticationToken is just one of the implementations of the Authentication, which can be used in your case. When you use public constructor of this class with a collection of GrantedAuthority, your create a trusted (i.e. isAuthenticated() = true) authentication token. So security context will know that request is already authenticated.
By the way, constructor you use is intended to be called only by AuthenticationManager or AuthenticationProvider - that is stated in the javadoc.
For safe usage try static factory method:
return UsernamePasswordAuthenticationToken.authenticated(principal, credentials, userDetails.getAuthorities());
I'm trying to create a custom Spring Security Authentication Filter in order to implement a custom authentication scheme. I've spent a couple hours reading up on Spring Security, but all of the guides I've found explain how to configure basic setups; I'm trying to write a custom setup, and I'm having trouble finding documentation on how to do so.
For the sake of example, lets say that my custom authentication scheme is as follows:
If the client provides a "foo_username" header and a "foo_password" header in the http request (both unencrypted for the sake of example), then my custom filter needs to construct a UsernamePasswordAuthenticationToken. Of course if the password is wrong, that's an authentication error. If either header is missing that's an authentication error. If both headers are missing, I want to delegate down the filter chain without changing anything.
That seems simple enough in theory, but I don't know how to implement that in Spring. Am I intended to check the password against the DB myself? or is that the reponsibility of the UserDetailsPasswordService? Am I intended to modify the SecurityContextHolder.getContext().authentication field myself? What responsibilities do I delegate to the AuthenticationManager? Which exceptions do I throw when authentication fails in various ways? Do I implement Filter, OncePerRequestFilter, or AbstractAuthenticationFilter? Is there any documentation on how to do all this???
Admittedly, this is a duplciate of How to create your own security filter using Spring security?, but I'm not him, and he got no answers.
Thanks for the help!
Edit: This is the not best way to do things. It doesn't follow best practices. I haven't had time to udpate this answer with an example that does follow best practices.
As others have pointed out, it's better to use Basic auth or OAuth2, both of which are built into Spring. But if you really want to implement a custom filter, you can do something like this. (Please correct me if I'm doing this wrong.) But don't do this exactly. This is not a very secure example; it's a simple example.
class CustomAuthenticationFilter(val authManager: AuthenticationManager) : OncePerRequestFilter() {
override fun doFilterInternal(request: HttpServletRequest,
response: HttpServletResponse,
chain: FilterChain) {
val username = request.getHeader("foo_username")
val password = request.getHeader("foo_password")
if(username==null && password==null){
// not our responsibility. delegate down the chain. maybe a different filter will understand this request.
chain.doFilter(request, response)
return
}else if (username==null || password==null) {
// user is clearly trying to authenticate against the CustomAuthenticationFilter, but has done something wrong.
response.status = 401
return
}
// construct one of Spring's auth tokens
val authentication = UsernamePasswordAuthenticationToken(username, password, ArrayList())
// delegate checking the validity of that token to our authManager
val userPassAuth = this.authManager.authenticate(authRequest)
// store completed authentication in security context
SecurityContextHolder.getContext().authentication = userPassAuth
// continue down the chain.
chain.doFilter(request, response)
}
}
Once you've created your auth filter, don't forget to add it to your HttpSecurity config, like this:
override fun configure(http: HttpSecurity?) {
http!!.addFilterBefore(CustomAuthenticationFilter(authenticationManager()), UsernamePasswordAuthenticationFilter::class.java)
}
I think what you want to do is implement AuthenticationProvider. It allows your code to explicitly manage the authentication portion. It has a fairly simple method signature to implement as well.
public class YourAuthenticationProvider implements AuthenticationProvider {
#Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = authentication.getName();
String password = authentication.getCredentials().toString();
...
return new UsernamePasswordAuthenticationToken(principal, password, principal.getAuthorities())
}
#Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
You can register it by adding it to the AuthenticationManagerBuilder in a config that extends WebSecurityConfigurerAdapter
#Configuration
class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(AuthenticationManagerBuilder auth) {
AuthenticationProvider provider= new YourAuthenticationProvider();
auth.authenticationProvider(provider);
}
}
I have a web service that I have built on top of Spring. I am currently authenticating using Spring Security as follows:
#Configuration
#EnableGlobalMethodSecurity(securedEnabled=true)
#EnableWebSecurity
public class ServerSecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private Properties properties;
private static final String ALL_URI = "/v1/**";
private static final String HEALTH_URI = "/v1/healthCheck";
#Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(getFilter(), BasicAuthenticationFilter.class);
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests()
.antMatchers(HEALTH_URI).permitAll()
.anyRequest().authenticated();
http.csrf().disable();
}
private AuthenticationFilter getFilter() {
return new AuthenticationFilter( properties.getKey());
}
}
My AuthenticationFilter class extends AbstractAuthenticationProcessingFilter and performs the actual authentication. If I want to add Authorization to my security, would I just make those checks in the attemptAuthentication method apart of the AuthenticationFilter? Or is there a better way to do it? The way I understand it is that Authorization and Authentication should be done independently. You first authenticate, and then you verify the permissions. So, I would assume there would be a better approach to do authorization within Spring Security rather than just adding it to the attemptAuthentication method.
You need a AuthenticationProvider to do authenticate, implement the AuthenticationProvider and override the authentication and supports methods, and then inject to the AuthenticationManager.
attemptAuthentication method in filter is usually to get authentication(e.g. UsernamePasswordFilter gets username and password from request, and then builds a UsernamePasswordAuthenticationToken to AuthenticationManager ),
supports method tests the AuthenticationProvider whether can be used to do authenticate.(e.g DaoAuthenticationProvider supports UsernamePasswordAuthenticationToken)
authenticate method is used to do authenticate(e.g DaoAuthenticationProvider gets the real password by username and then compare to the user input), this method should return an Authentication that is already authenticated(e.g UsernamePasswordAuthenticationToken), and this authentication should contains the user authorities(this can be used to hasRole('xxx')), or use detail and so on.
After attemptAuthentication successful, the Authentication will set into SecurityContextHolder. and then you can use the hasRole('xx'), or something else.
I would like to ask for your help regarding my problem in Spring Security.
I have a requirement wherein I have to validate a login credential based on the option selected by the user. Option 1 would be validating the logged in user via third party service. Option 2 would be the normal validation using database authentication level. How can I implement this?
General Strategy
Provide a custom implementation of org.springframework.security.authentication.AuthenticationProvider that delegates authentication to the appropriate backend (third-party service, another AuthenticationProvider, etc.).
Pass the user-selected option to the custom AuthenticationProvider, enabling it to choose the correct authentication backend.
Configure the custom AuthenticationProvider as the default authentication provider.
Step 1: Implement AuthenticationProvider
AuthenticationProvider is an interface with a single method. Therefore, a custom implementation may look like:
class DelegatingAuthenticationProvider implements AuthenticationProvider {
#Autowired
private ThirdPartyAuthenticationService service;
#Autowired
#Qualifier("anotherAuthenticationProvider")
private AuthenticationProvider provider;
#Override
public Authentication authenticate(final Authentication authentication) throws AuthenticationException {
// Get the user selection.
String selection = (String) authentication.getDetails();
// Take action depending on the selection.
Authentication result;
if("ThirdParty".equals(selection)) {
// Authenticate using "service" and generate a new
// Authentication "result" appropriately.
}
else {
// Authenticate using "provider" and generate a new
// Authentication "result" appropriately.
}
return result;
}
}
Step 2: Pass the user selection to the AuthenticationProvider
The AuthenticationProvider implementation above picks up the user selection from the details property of the Authentication object. Presumably, the user selection would have to be picked up from the HttpServletRequest and added to the Authentication object before the AuthenticationProvider is invoked. This means, another component that has access to both the Authentication and HttpServletRequest objects needs to be invoked before the AuthenticationProvider is called.
The Authentication object is created by an implementation of AbstractAuthenticationProcessingFilter. This class has a method named attemptAuthentication that accepts an HttpServletRequest object and returns an Authentication object. So it seems this would be a good candidate for implementing what is needed. For username-password based authentication, the implementation class is UsernamePasswordAuthenticationFilter. This class returns a new instance of UsernamePasswordAuthenticationToken, which is an implementation of Authentication. So, a class extending UsernamePasswordAuthenticationFilter should be sufficient.
class ExtendedUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
#Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
...
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(username, password);
authentication.setDetails(obtainUserSelection(request));
...
return authentication;
}
}
obtainUserSelection is a private method that gets the user selection out of the request.
Step 3: Configuration
Configure the AuthenticationProvider and filter implementations in the Spring Security configuration. The exact steps will vary depending on whether XML or Java configuration is used.
I have own spring srcurity auth provider:
public class MyLdapAuthProvider implements AuthenticationProvider
#Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
if(goodCredetials()){
return authenticateUserPassword((UsernamePasswordAuthenticationToken) authentication);
} else {
throw new BadCredentialsException("bad credentials");
}
}
I don't understand what should I return if in method I understood that credentials is bad
1 - throw AuthenticationException
2 - return null
I have tested this and I don't see difference
P.S.
spring securitu confguration:
<security:authentication-manager>
<security:authentication-provider ref="provider1"/>
<security:authentication-provider user-service-ref="provider2"/>
</security:authentication-manager>
P.S.
doc:
Authentication authenticate(Authentication authentication)
throws AuthenticationException
Performs authentication with the same contract as AuthenticationManager.authenticate(Authentication).
Parameters:
authentication - the authentication request object.
Returns:
a fully authenticated object including credentials. May return null if the AuthenticationProvider is unable to support authentication
of the passed Authentication object. In such a case, the next
AuthenticationProvider that supports the presented Authentication
class will be tried.
Throws:
AuthenticationException - if authentication fails.
Read the doc . If you return null, you are telling spring that you can't support this Authentication method, and it should try the next provider (if any) in line.
My guess is that, if instead you throw, you break the chain of trying with different providers. It shouldn't make much difference as long as you have a single authProvider and not a collection of them.
Also, on failed auth, you should throw AuthenticationException, not BadCredentials?