0

Using Spring Security preauthentication, my web app re-directs to /login_disabled.html upon hitting a InsufficientAuthenticationException.

sample of applicationContext-security-preauth.xml

        <beans:property name="exceptionMappings">
            <beans:props>
                <beans:prop key="org.springframework.security.
InsufficientAuthenticationException">
                    /login_disabled.html

Based on this post, it seems that I should be able to re-direct the user to log in again.

Would I just need to re-direct the user to the webpage responsible for authentication?

Community
  • 1
  • 1
Kevin Meredith
  • 41,036
  • 63
  • 209
  • 384

1 Answers1

1

It's not really clear for me what's the problem here. The redirection to the login page is automatically done without any further configuration if you have form-login set up. If the user tries to access a secured page without being authenticated, the ExceptionTranslationFilter invokes the AuthenticationEntryPoint to initiate authentication.

Using ExceptionMappingAuthenticationFailureHandler to map InsufficientAuthenticationException to a redirect-url won't work anyway because:

  1. It's not indicating an authentication failre. It indicates the condition that the user is only anonymously authenticated while trying to access a secured resource. (As opposed to an auth failure such as entering bad credentials, or user has disabled status.)
  2. It never even gets thrown. (Only instantiated and passed as a parameter in the above linked code.)
zagyi
  • 17,223
  • 4
  • 51
  • 48
  • what if I'm using a smart card to authenticate where the user picks a certificate upon log-in? – Kevin Meredith May 07 '13 at 19:38
  • 1
    If you have a custom form-login implementation, then I think all you need is a properly configured `LoginUrlAuthenticationEntryPoint` bean referenced from ``. – zagyi May 07 '13 at 19:53
  • If I'm using custom pre-authentication, how does Spring Security know how to re-authenticate, i.e. re-direct the user to a log-in page? – Kevin Meredith May 07 '13 at 20:33
  • 1
    I already told that in my previous comment. It's totally irrelevant what kind of custom authentication filters you have. As long as there is a `LoginUrlAuthenticationEntryPoint` set up, Spring Security will redirect to the configured login url if the request is only anonymously authenticated while the target url is secured. – zagyi May 07 '13 at 20:48
  • In my logs I see an incoming request of `/gwt_rpc` is the URL that's matched to ``. However, when this `gwt_rpc` HTTP request hits the server, Spring Security grants it `ROLE_ANONYMOUS`. An `AccessDeniedException` gets thrown. – Kevin Meredith May 08 '13 at 03:04
  • 1
    However? Where is the contradiction here? `` declares what is **required** to access urls matching the pattern, not what authorities it has to be **granted**. The RPC request contains no authentication information, so it will never be allowed to access a resource you configured to be only available for authenticated principals holding the `ROLE_USER` authority. – zagyi May 08 '13 at 09:04
  • Based on this log: `DEBUG org.springframework.security.ui.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point org.springframework.security.AccessDeniedException: Access is denied` Does the request hit the `authentication entry point` and then fail? I did not get the opportunity to re-authenticate with my smart card when I saw the above error. – Kevin Meredith May 08 '13 at 17:09
  • 1
    That log message (emitted from the method I linked in my answer) does not in itself mean that the entry point is inaccessible, but in case the only intercept-url tag in your config is ``, then that would certainly make the login page inaccessible. You will need to insert `` **before** the other one. – zagyi May 08 '13 at 18:20
  • From a `preauthentication` point-of-view, what would you expect to happen after a user logs in via pre-auth, but then their session expires? How does re-authentication occur? – Kevin Meredith May 08 '13 at 20:18
  • 1
    Pre-auth means that some external auth mechanism provides *each* request with auth info in some form (typically a http header). If no such information is associated to a request, Spring Security can do nothing. How could it possibly instruct an external system (e.g. Siteminder) to authenticate a request? So if the session expires, and your pre-auth filter doesn't find the info that the external system is supposed to provide, then the request won't be authenticated, unless you set up some other auth mechanism (e.g. form-login) along with its entry point (`LoginUrlAuthenticationEntryPoint`). – zagyi May 08 '13 at 21:09