0

I am using Spring Boot 1.5.6 (also have tried with 1.5.4). I am using a 

RequestHeaderAuthenticationFilter

and a 

PreAuthenticatedAuthenticationProvider

to secure my spring mvc web app and also permit access to both a controller path and static resources.

In my 

RequestHeaderAuthenticationFilter

set up I want 

setExceptionIfHeaderMissing(true);

so that I know if the header variable has been sent in the request.

When I try to access any of the permitted resources, Spring Security always looks for the header variable in the request and throws a 

PreAuthenticatedCredentialsNotFoundException

Why is spring security still trying to look up the preauthenticated principal even though I am trying to access a permitted (non-protected) resource? How can I circumvent this behaviour?

My java config for WebSecurityConfigurerAdapter is below

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{


private static final Logger log = LoggerFactory.getLogger(SecurityConfig.class);


@Autowired
protected UserDetailsService userDetailsService; 



@Bean
public PreAuthenticatedAuthenticationProvider preAuthenticatedAuthenticationProvider(){

    log.info("Configuring pre authentication provider");

    UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = 
            new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(
                    userDetailsService);

    PreAuthenticatedAuthenticationProvider it = new PreAuthenticatedAuthenticationProvider();
    it.setPreAuthenticatedUserDetailsService(wrapper);

    return it;      
} 

@Bean
public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter() throws Exception{

    RequestHeaderAuthenticationFilter it = new RequestHeaderAuthenticationFilter();
    it.setAuthenticationManager(authenticationManager());
    it.setExceptionIfHeaderMissing(true);
    return it;
}

@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
    log.info("configure authentication provider");
    auth.authenticationProvider(preAuthenticatedAuthenticationProvider());

}


@Override
protected void configure(HttpSecurity http) throws Exception {
    log.info("Configure HttpSecurity");
    http
        .authorizeRequests()
            .antMatchers("/permitted/**", "/css/**", "/js/**", "/images/**", "/webjars/**")
                .permitAll()
            .anyRequest()
                    .authenticated()
            .and().addFilter(requestHeaderAuthenticationFilter())

    ;
}    


 @Override
 public void configure(WebSecurity web) throws Exception {
     web
        .ignoring()
            .antMatchers("/permitted/**", "/css/**", "/js/**", "/images/**", "/webjars/**"); 
}   
}
Sumit
  • 1,661
  • 1
  • 13
  • 18

1 Answers1

1

I had the same problem and it turned out it was related to the fact that in addition to being registered in the SecurityFilterChain, Spring Boot was also registering the RequestHeaderAuthenticationFilter with the Servlet Context. The solution is to use a FilterRegistrationBean to prevent Boot from auto registering the filter with the Servlet Context.

More details here: Spring Boot Security PreAuthenticated Scenario with Anonymous access

Sean Casey
  • 86
  • 1
  • 6