Authorization on a PreAuthenticated spring-security scenario (Round 1)
ONE of the most used scenario for a PreAuthenticated authentication in spring-security involves retrieving principal information from the header of the HTTP request using RequestHeaderAuthenticationFilter
Filter role is the creation of the PreAuthenticatedAuthenticationToken to pass it through the rest of the security process. Note that this filter inherits from AbstractPreAuthenticatedProcessingFilter which uses WebAuthenticationDetailsSource as default AuthenticationDetailsSource. In this point the method “buildDetails” is called on AuthenticationDetailsSource returning a WebAuthenticationDetails which is setted on the details attribute of the token and passed as attribute to the authenticate method of the AuthenticationManager.
PreAuthenticatedAuthenticationToken authRequest = new PreAuthenticatedAuthenticationToken(principal, credentials); authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request)); Authentication authResult = this.authenticationManager.authenticate(authRequest); this.successfulAuthentication(request, response, authResult);
Now note that WebAuthenticationDetails is a simple POJO holding two attributes: remoteAddress, and sessionId which are took from the request object. When authenticate method is called on AuthenticationManager, security process starts trying all available AuthenticationProviders until one of them succeeds. PreAuthenticatedAuthenticationToken inherits from Authentication so it can fit as argument for authenticate method, so, eventually, our PreAuthenticatedAuthenticationProvider will be called and out token will be processed by PreAuthenticatedGrantedAuthoritiesUserDetailsService.
The problem is that when PreAuthenticatedGrantedAuthoritiesUserDetailsService receives the PreAuthenticatedAuthenticationToken it tries to cast, as GrantedAuthoritiesContainer, the content of the “details” field!!
This is very weird since PreAuthenticatedAuthenticationToken inherits from AbstractAuthenticationToken so there is a formal “authorities” attribute of type `Collection<GrantedAuthority>` in the class … but for some reasonWebAuthenticationDetails this is not used and the userdetails service expects a GrantedAuthoritiesContainer object in the details attribute:
((GrantedAuthoritiesContainer)token.getDetails()).getGrantedAuthorities()
However, as we’ve seen, the content of the details attribute in the PreAuthenticatedAuthenticationToken is a WebAuthenticationDetails object which is not a GrantedAuthoritiesContainer!!
Am i missing something here?
