Summary
#5934 added support for AnonymousAuthenticationTokens in Reactive applications. It seems one thing was missed out - ExceptionTranslationWebFilter is missing the same logic as ExceptionTranslationFilter
Actual Behavior
All access denied decisions are final and propagated to the caller.
Expected Behavior
Logic similar to the below is required in the reactive ExceptionTranslationWebFilter to translate AccessDeniedException into a redirection for authentication.
else if (exception instanceof AccessDeniedException) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authenticationTrustResolver.isAnonymous(authentication) || authenticationTrustResolver.isRememberMe(authentication)) {
logger.debug(
"Access is denied (user is " + (authenticationTrustResolver.isAnonymous(authentication) ? "anonymous" : "not fully authenticated") + "); redirecting to authentication entry point",
exception);
sendStartAuthentication(
request,
response,
chain,
new InsufficientAuthenticationException(
messages.getMessage(
"ExceptionTranslationFilter.insufficientAuthentication",
"Full authentication is required to access this resource")));
}Configuration
N/A
Version
5.2
Sample
Summary
#5934 added support for AnonymousAuthenticationTokens in Reactive applications. It seems one thing was missed out - ExceptionTranslationWebFilter is missing the same logic as ExceptionTranslationFilter
Actual Behavior
All access denied decisions are final and propagated to the caller.
Expected Behavior
Logic similar to the below is required in the reactive ExceptionTranslationWebFilter to translate AccessDeniedException into a redirection for authentication.
Configuration
N/A
Version
5.2
Sample