0

I have added a filter that reads cookies and stores a UserDetails performs SecurityContextHolder.getContext().setAuthentication(ssoUserDetails). The details are for a user that exists in the database.

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    SecurityContext securityContext = SecurityContextHolder.getContext();
    Authentication authentication = securityContext.getAuthentication();
    if (authentication == null || !authentication.isAuthenticated()) {
        HttpServletRequest httpRequest = asHttp(request);

        CookieMap cookieMap = new CookieMap(httpRequest);
        Optional<Cookie> cookie = Optional.fromNullable(cookieMap.get(getCookieName()));
        if (cookie.isPresent()) {
            CookieInstanceAuthentication cookieAuthentication = CookieInstanceAuthentication.builder()
                    .cookie(cookie)
                    .build();
            Optional<Authentication> resultOfAuthentication = tryToAuthenticate(cookieAuthentication);
            if (resultOfAuthentication.isPresent() && resultOfAuthentication.get().isAuthenticated()) {
                securityContext.setAuthentication(resultOfAuthentication.get());
                authentication = securityContext.getAuthentication();
                logger.debug("CommuntityUser successfully authenticated via cookies. " + authentication.getPrincipal());
            }
        }
    }
    chain.doFilter(request, response);
}

I have debugged and logged the information to ensure that part is working correctly.

However, when I load any page or hit an api endpoint (without providing OAuth2 credentials/tokens) the user is not authenticated. I tracked this down to the OAuth2AuthenticationProcessingFilter writing over my authentication.

What is the suggested method for adding additional authentication mechanisms?

David Esposito
  • 1
  • 1
  • Seems to be a duplicate of http://stackoverflow.com/questions/25794680/multiple-authentication-mechanisms-in-a-single-app-using-java-config – Gaël Marziou Aug 24 '15 at 08:24
  • You are correct. However, I was hoping that there would be a way to configure SpringSecurity so that I didn't have to write(copy) a custom OAuth2 filter and configure a new security filter chain. It seems like there should be a way for spring to support multiple authentication mechanisms without writing over each other. A `securityPriority` or `if (!auth.isAuthenticated())` in the filter would suffice. – David Esposito Aug 24 '15 at 15:59
  • You should open an issue in spring-security project – Gaël Marziou Aug 24 '15 at 17:00

0 Answers0