0

I have a simple Spring Boot application with the following 2 endpoints:

  • int: requires Shibboleth SSO && Authorized Role
  • ext: no SSO, no authorization required

I've implemented a PreAuthenticationFilter to work with SSO. Below is the configuration that is not working:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
            .authorizeRequests()
                .antMatchers("/ext/**").permitAll()
                .anyRequest().authenticated()
                .and()
            .authorizeRequests()
                .and()
            .addFilter(preAuthenticationFilter());
    }
}

Shouldn't PreAuthenticationFilter bypass the /ext endpoint? However, the above configuration forces both endpoints to go to the PreauthenticationFilter. Also tried

web.ignoring().antMatchers("/ext/**")

to no avail.

Here's the rest of my program:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/ext/**").permitAll()
                .anyRequest().authenticated()
                .and()
            .authorizeRequests()
                .and()
            .addFilter(preAuthenticationFilter());
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        //web.ignoring().antMatchers("/ext/**");
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        PreAuthenticatedAuthenticationProvider authenticationProvider = new PreAuthenticatedAuthenticationProvider();
        authenticationProvider.setPreAuthenticatedUserDetailsService(new ShibbolethUserDetailsService());
        auth.authenticationProvider(authenticationProvider);
    }

    @Bean
    RequestHeaderAuthenticationFilter preAuthenticationFilter() throws Exception {
        ShibbolethRequestHeaderAuthenticationFilter filter = new ShibbolethRequestHeaderAuthenticationFilter();
        filter.setAuthenticationManager(authenticationManager());       
        return filter;
    }
dur
  • 15,689
  • 25
  • 79
  • 125
user3454156
  • 5
  • 4
  • 1
    Yes. Both Spring Boot & Thymeleaf are used. – user3454156 Feb 01 '19 at 16:03
  • *Shouldn't PreAuthenticationFilter bypass the /ext endpoint?* No, you added the filter, hence it is used. – dur Feb 01 '19 at 18:02
  • 4
    Possible duplicate of [Filter invoke twice when register as Spring bean](https://stackoverflow.com/questions/39314176/filter-invoke-twice-when-register-as-spring-bean) – dur Feb 01 '19 at 18:04
  • You have to use the answer from the other question and also `web.ignoring().antMatchers("/ext/**")`. – dur Feb 01 '19 at 18:05
  • 1
    @M-M: OP already wrote in his question, that `web.ignoring().antMatchers("/ext/**")` should work, so the question is IMO a duplicate. If OP would know the other question's answer, he had also tried `web.ignoring().antMatchers("/ext/**")` and it would work. – dur Feb 01 '19 at 23:08
  • 1
    You are right. Instead of making my custom PreAuthenticationFilter a Spring Bean, I ended up wiring it myself, and that fixed my problem. Thanks! – user3454156 Feb 09 '19 at 21:26

0 Answers0