Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-948: AbstractPreAuthenticatedProcessingFilter needs getAuthenticationManager() function #1205
The problem is that I want to change the method doAuthenticate but it uses the authenticationManager, which is private in the parent class. I would be nice to have a public function in AbstractPreAuthenticatedProcessingFilter class to retrieve the authenticationManager. The solution is really trivial but I think its necessary to someone who wants to extend theses classes.
Julia López said:
When I said that I want to modify doAuthenticate method I’m really modifying doFilter method of AbstractPreAuthenticatedProcessingFilter class that uses doAuthenticate function.
I’m trying to integrate a new provider with spring security, this provider needs more information in the authenticationToken that is sent to the provider (as the request IP and one string to save the SAML, which is created for my provider) for this reason I’ve created a my own token. Having my own token implies modify all authentication filters that prepare the token for the authentication. I’ve extended the AuthenticationProcessingFilter and I’ve just modify the attemptAuthentication method that now creates my token and fill it with the ip. Also I’ve extend the BasicAuthenticationFilter and changed the doFilter function to create my token instead of UsernameAndPasswordToken.
Ok, I’m explaining this to introduce what I’m trying to do now. Now, I want to validate user certificates against my provider, for these reason the preauth filter needs to create my specific token instead of PreauthToken (I need the request ip and the user certificate). The function doFilter creates this token but if I want to extend a class from AbstractPreAuthenticatedProcessingFilter and just override doFilter method I need access to the authenticationManager, so I need the getter of it in the parent.
Please, if I’m doing something wrong let me know and if you don’t understand me I will try to make me understand again ;) Thank you!
To more details my provider is TrustedX
Luke Taylor said:
The IP address should already be available from the Authentication.details object (set by the WebAuthenticationDetailsSource) so you shouldn’t need a custom token for this. You would be better to customize the AuthenticationDetailsSource to set the additional information you need (e.g. the SAML) then it can be reused rather than you having to write an extended version of each filter you need.
Regarding X.509, the certificate should be extracted as the “credentials” by default, so it should be available to your authentication provider from the preauth token.