11

I'm struggling with the problem from the title for few days already and I'm pretty frustrated. I have no idea what I'm doing wrong and why my implementation isn't working.

Let me show you what I've got:

Custom AuthenticationProvider:

@Component
public class AuthProvider implements AuthenticationProvider {

    private Logger logger = LoggerFactory.getLogger(AuthProvider.class);

    public AuthProvider() {
        logger.info("Building...");
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        logger.info("Authenticate...");
        return null;
    }

    public boolean supports(Class<?> authentication) {
        logger.info("Supports...");
        return true;
    }
}

WebSecurity config:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthProvider authProvider;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authProvider);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests().anyRequest().authenticated();
    }
}

As you can see I've added loggers into the AuthenticationProvider but not any of them is getting called.

What I've tried:

  • adding @Autowired to configure where the AuthenticationManagerBuilder is
  • adding @EnableGlobalMethodSecurity(prePostEnabled=true) to the class
  • adding custom AuthenticationProvider directly to HttpSecurity

How I've tested it:

  • debugging via IntelliJ - no results, no breakpoint is getting called.
  • running the app and sending a request - also no results, no logs, nothing.

Please guys help me somehow. I'm outta energy. I hate wasting so much time on things that should just work :(

sarneeh
  • 1,320
  • 1
  • 12
  • 27
  • @dur Is this information necessary in case of this problem? I don't have any authentication right now, that's why I wanted to create my own AuthProvider. I'm planning to authenticate JWT. – sarneeh Sep 02 '16 at 09:04
  • @dur 403 Forbidden. – sarneeh Sep 02 '16 at 09:38
  • @dur `http.authorizeRequests().anyRequest().authenticated();` isn't making it to authenticate all requests? I think that I don't understand it properly :D – sarneeh Sep 02 '16 at 13:15
  • 1
    That's the reason, why you get a 403. If you use `permitAll` you will get a 200 with anonymous user, too. Before you write your own `AuthenticationProvider`, you should learn the core concepts of Spring Security, please read [Spring Security Reference](http://docs.spring.io/autorepo/docs/spring-security/4.1.x/reference/htmlsingle/). – dur Sep 02 '16 at 13:31
  • That sounds reasonable. Thanks anyways for pointing this out and sorry for taking Your time! I thought that I understand this properly :) – sarneeh Sep 02 '16 at 15:04
  • You return null from the authenticate() method, - this is the reason. It should return a real Authentication object (for example, an instance of UsernamePasswordAuthenticationToken or its subclass). – user3791111 May 04 '17 at 21:02
  • @dur, can you please explain whats the issue in this code. i am facing the same problem. – Sahil Chhabra Nov 21 '17 at 11:23

2 Answers2

8

Probably you missed the following method in your WebSecurityConfigurerAdapter:

@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}

The same happened to me.

Julio Villane
  • 994
  • 16
  • 28
0

Using the isAssignableFrom() method instead of instead of == or equals we get a true, then the flow would pass through authenticate()

override fun supports(authentication: Class<*>): Boolean {
    return UsernamePasswordAuthenticationToken::class.java.isAssignableFrom(authentication)
}

GL

Source

Braian Coronel
  • 22,105
  • 4
  • 57
  • 62