PreAuthenticatedAuthenticationProvider UserDetailsService how to catch the right exception









up vote
1
down vote

favorite












I am under Spring Boot 2.0.5 (Spring Security 5.0.8)



I have setup a preauthentication filter chain, which works fine, only thing problematic is the exception handling, especially those thrown form my custom UserDetailsService. I also tried to return a User with "enabled = false" but still the same.



See code below for my custom UserDetailsService:



@Component
@Slf4j
public class PreAuthenticatedUserDetailsService
 implements AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> 

 @Autowired
 private AccessService accessService;

 @Override
 public UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken token) throws AuthenticationException 

 String accessId = token.getCredentials() + "";

 try 
 AccessEntity accessEntity = accessService.getAccessByAccessId(accessId);

 if (accessEntity == null) 
 throw new BadCredentialsException(String.format("Unknown access (AccessId=%s)", accessId));
 

 List<AccessRole> accessRoles = accessEntity.getRoles();

 if (!accessEntity.getActive()) 
 return new User(accessEntity.getUid(), accessEntity.getUid(), false, true, true, true, accessRoles.stream()
 .map(role -> new SimpleGrantedAuthority(role.getValue())).collect(Collectors.toList()));
 //throw new AccessDeniedException(String.format("Inactive access (AccessId=%s)", accessId));
 

 return new User(accessEntity.getUid(), accessEntity.getUid(), accessRoles.stream()
 .map(role -> new SimpleGrantedAuthority(role.getValue())).collect(Collectors.toList()));
 catch (Exception e) 
 log.error("Exception in load user details", e);
 throw new BadCredentialsException(String.format("Authentication issue for accessId=%s", accessId));




And my Security Configuration:



@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter 

 private static final String SPRING_ROLE_ANONYMOUS = "ANONYMOUS"; // ("ROLE_" is automatically inserted as prefix)

 @Autowired
 private AppConfigProperties appConfigProperties;

 @Autowired
 RESTAuthenticationEntryPoint restAuthenticationEntryPoint;

 @Autowired
 RESTAccessDeniedHandler accessDeniedHandler;

 @Autowired
 PreAuthenticatedUserDetailsService preAuthenticatedUserDetailsService;

 @Autowired
 public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception 
 auth.authenticationProvider(preauthAuthProvider());
 

 @Bean
 public PreAuthenticatedAuthenticationProvider preauthAuthProvider() 
 PreAuthenticatedAuthenticationProvider preauthAuthProvider = new PreAuthenticatedAuthenticationProvider();
 preauthAuthProvider.setPreAuthenticatedUserDetailsService(preAuthenticatedUserDetailsService);
 return preauthAuthProvider;
 

 @Bean
 public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter() throws Exception 
 RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
 filter.setPrincipalRequestHeader(appConfigProperties.getSecurity().getRequestHeaderTokenKeyName());
 filter.setCredentialsRequestHeader(appConfigProperties.getSecurity().getRequestHeaderTokenKeyName());
 filter.setExceptionIfHeaderMissing(false);
 filter.setAuthenticationManager(authenticationManager());
 return filter;
 

 @Override
 protected void configure(HttpSecurity http) throws Exception 
 RequestMatcher protected_urls = new OrRequestMatcher(new AntPathRequestMatcher(
 appConfigProperties.getSecurity().getProtectedUrls()));
 http
 .sessionManagement()
 .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
 .and()
 .addFilterBefore(requestHeaderAuthenticationFilter(), AnonymousAuthenticationFilter.class)
 .authorizeRequests()
 .antMatchers(HttpMethod.POST , appConfigProperties.getSecurity().getUserAuthenticatePath())
 .hasRole(SPRING_ROLE_ANONYMOUS)
 .requestMatchers(protected_urls).authenticated()
 .and()
 .exceptionHandling()
 .accessDeniedHandler(accessDeniedHandler)
 .authenticationEntryPoint(restAuthenticationEntryPoint)
 .and()
 .csrf().disable()
 .formLogin().disable()
 .httpBasic().disable()
 .logout().disable(); // disable autoconfig
 

 /**
 * Disable Spring boot automatic filter registration.
 */
 @Bean
 FilterRegistrationBean<RequestHeaderAuthenticationFilter> disableAutoRegistration(final RequestHeaderAuthenticationFilter filter) 
 final FilterRegistrationBean<RequestHeaderAuthenticationFilter> registration = new FilterRegistrationBean<>(filter);
 registration.setEnabled(false);
 return registration;
 


@Component
@Slf4j
public class RESTAuthenticationEntryPoint implements AuthenticationEntryPoint 

 @Autowired
 private AppConfigProperties appConfigProperties;

 @Override
 public void commence(final HttpServletRequest request, final HttpServletResponse response,
 final AuthenticationException authException) throws IOException 

 log.error("********* Authentication Entry Point exception", authException);

 response.setContentType("application/json");
 response.setCharacterEncoding("UTF-8");

 String responseContentJson = null;

 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
 responseContentJson = new Gson().toJson(GlobalExceptionHandler.createSWError(SWErrorCode.HTTP,
 String.format("Failed authentication: missing request header '%s' or invalid value",
 appConfigProperties.getSecurity().getRequestHeaderTokenKeyName())));

 PrintWriter out = response.getWriter();
 out.print(responseContentJson);
 out.flush();
 response.flushBuffer();




I also tried to use an "accessDeniedHandler" but it never goes through it.



The issue is that for any exception thrown (either in my custom UserDetailsService or others), it goes through my custom "AuthenticationEntryPoint" with an always similar exception, see below:



org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource
 at org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:190)
 at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:141)
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
 at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
 at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
 at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:121)
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
 at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
 at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
 at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
 at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
 at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
 at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
 at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
 at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
 at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)
 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93)
 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:155)
 at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:123)
 at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108)
 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
 at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
 at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
 at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
 at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
 at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
 at java.lang.Thread.run(Thread.java:748)


Any idea would be great!






spring-security exception-handling pre-authentication







share|improve this question

























    up vote
    1
    down vote

    favorite












    I am under Spring Boot 2.0.5 (Spring Security 5.0.8)



    I have setup a preauthentication filter chain, which works fine, only thing problematic is the exception handling, especially those thrown form my custom UserDetailsService. I also tried to return a User with "enabled = false" but still the same.



    See code below for my custom UserDetailsService:



    @Component
    @Slf4j
    public class PreAuthenticatedUserDetailsService
     implements AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> 

     @Autowired
     private AccessService accessService;

     @Override
     public UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken token) throws AuthenticationException 

     String accessId = token.getCredentials() + "";

     try 
     AccessEntity accessEntity = accessService.getAccessByAccessId(accessId);

     if (accessEntity == null) 
     throw new BadCredentialsException(String.format("Unknown access (AccessId=%s)", accessId));
     

     List<AccessRole> accessRoles = accessEntity.getRoles();

     if (!accessEntity.getActive()) 
     return new User(accessEntity.getUid(), accessEntity.getUid(), false, true, true, true, accessRoles.stream()
     .map(role -> new SimpleGrantedAuthority(role.getValue())).collect(Collectors.toList()));
     //throw new AccessDeniedException(String.format("Inactive access (AccessId=%s)", accessId));
     

     return new User(accessEntity.getUid(), accessEntity.getUid(), accessRoles.stream()
     .map(role -> new SimpleGrantedAuthority(role.getValue())).collect(Collectors.toList()));
     catch (Exception e) 
     log.error("Exception in load user details", e);
     throw new BadCredentialsException(String.format("Authentication issue for accessId=%s", accessId));




    And my Security Configuration:



    @Configuration
    @EnableWebSecurity
    @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
    public class SecurityConfiguration extends WebSecurityConfigurerAdapter 

     private static final String SPRING_ROLE_ANONYMOUS = "ANONYMOUS"; // ("ROLE_" is automatically inserted as prefix)

     @Autowired
     private AppConfigProperties appConfigProperties;

     @Autowired
     RESTAuthenticationEntryPoint restAuthenticationEntryPoint;

     @Autowired
     RESTAccessDeniedHandler accessDeniedHandler;

     @Autowired
     PreAuthenticatedUserDetailsService preAuthenticatedUserDetailsService;

     @Autowired
     public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception 
     auth.authenticationProvider(preauthAuthProvider());
     

     @Bean
     public PreAuthenticatedAuthenticationProvider preauthAuthProvider() 
     PreAuthenticatedAuthenticationProvider preauthAuthProvider = new PreAuthenticatedAuthenticationProvider();
     preauthAuthProvider.setPreAuthenticatedUserDetailsService(preAuthenticatedUserDetailsService);
     return preauthAuthProvider;
     

     @Bean
     public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter() throws Exception 
     RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
     filter.setPrincipalRequestHeader(appConfigProperties.getSecurity().getRequestHeaderTokenKeyName());
     filter.setCredentialsRequestHeader(appConfigProperties.getSecurity().getRequestHeaderTokenKeyName());
     filter.setExceptionIfHeaderMissing(false);
     filter.setAuthenticationManager(authenticationManager());
     return filter;
     

     @Override
     protected void configure(HttpSecurity http) throws Exception 
     RequestMatcher protected_urls = new OrRequestMatcher(new AntPathRequestMatcher(
     appConfigProperties.getSecurity().getProtectedUrls()));
     http
     .sessionManagement()
     .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
     .and()
     .addFilterBefore(requestHeaderAuthenticationFilter(), AnonymousAuthenticationFilter.class)
     .authorizeRequests()
     .antMatchers(HttpMethod.POST , appConfigProperties.getSecurity().getUserAuthenticatePath())
     .hasRole(SPRING_ROLE_ANONYMOUS)
     .requestMatchers(protected_urls).authenticated()
     .and()
     .exceptionHandling()
     .accessDeniedHandler(accessDeniedHandler)
     .authenticationEntryPoint(restAuthenticationEntryPoint)
     .and()
     .csrf().disable()
     .formLogin().disable()
     .httpBasic().disable()
     .logout().disable(); // disable autoconfig
     

     /**
     * Disable Spring boot automatic filter registration.
     */
     @Bean
     FilterRegistrationBean<RequestHeaderAuthenticationFilter> disableAutoRegistration(final RequestHeaderAuthenticationFilter filter) 
     final FilterRegistrationBean<RequestHeaderAuthenticationFilter> registration = new FilterRegistrationBean<>(filter);
     registration.setEnabled(false);
     return registration;
     


    @Component
    @Slf4j
    public class RESTAuthenticationEntryPoint implements AuthenticationEntryPoint 

     @Autowired
     private AppConfigProperties appConfigProperties;

     @Override
     public void commence(final HttpServletRequest request, final HttpServletResponse response,
     final AuthenticationException authException) throws IOException 

     log.error("********* Authentication Entry Point exception", authException);

     response.setContentType("application/json");
     response.setCharacterEncoding("UTF-8");

     String responseContentJson = null;

     response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
     responseContentJson = new Gson().toJson(GlobalExceptionHandler.createSWError(SWErrorCode.HTTP,
     String.format("Failed authentication: missing request header '%s' or invalid value",
     appConfigProperties.getSecurity().getRequestHeaderTokenKeyName())));

     PrintWriter out = response.getWriter();
     out.print(responseContentJson);
     out.flush();
     response.flushBuffer();




    I also tried to use an "accessDeniedHandler" but it never goes through it.



    The issue is that for any exception thrown (either in my custom UserDetailsService or others), it goes through my custom "AuthenticationEntryPoint" with an always similar exception, see below:



    org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource
     at org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:190)
     at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:141)
     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
     at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
     at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
     at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:121)
     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
     at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
     at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
     at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
     at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
     at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
     at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
     at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
     at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
     at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)
     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93)
     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:155)
     at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:123)
     at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108)
     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
     at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
     at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
     at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
     at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
     at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
     at java.lang.Thread.run(Thread.java:748)


    Any idea would be great!






    spring-security exception-handling pre-authentication







    share|improve this question























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I am under Spring Boot 2.0.5 (Spring Security 5.0.8)



      I have setup a preauthentication filter chain, which works fine, only thing problematic is the exception handling, especially those thrown form my custom UserDetailsService. I also tried to return a User with "enabled = false" but still the same.



      See code below for my custom UserDetailsService:



      @Component
      @Slf4j
      public class PreAuthenticatedUserDetailsService
       implements AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> 

       @Autowired
       private AccessService accessService;

       @Override
       public UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken token) throws AuthenticationException 

       String accessId = token.getCredentials() + "";

       try 
       AccessEntity accessEntity = accessService.getAccessByAccessId(accessId);

       if (accessEntity == null) 
       throw new BadCredentialsException(String.format("Unknown access (AccessId=%s)", accessId));
       

       List<AccessRole> accessRoles = accessEntity.getRoles();

       if (!accessEntity.getActive()) 
       return new User(accessEntity.getUid(), accessEntity.getUid(), false, true, true, true, accessRoles.stream()
       .map(role -> new SimpleGrantedAuthority(role.getValue())).collect(Collectors.toList()));
       //throw new AccessDeniedException(String.format("Inactive access (AccessId=%s)", accessId));
       

       return new User(accessEntity.getUid(), accessEntity.getUid(), accessRoles.stream()
       .map(role -> new SimpleGrantedAuthority(role.getValue())).collect(Collectors.toList()));
       catch (Exception e) 
       log.error("Exception in load user details", e);
       throw new BadCredentialsException(String.format("Authentication issue for accessId=%s", accessId));




      And my Security Configuration:



      @Configuration
      @EnableWebSecurity
      @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
      public class SecurityConfiguration extends WebSecurityConfigurerAdapter 

       private static final String SPRING_ROLE_ANONYMOUS = "ANONYMOUS"; // ("ROLE_" is automatically inserted as prefix)

       @Autowired
       private AppConfigProperties appConfigProperties;

       @Autowired
       RESTAuthenticationEntryPoint restAuthenticationEntryPoint;

       @Autowired
       RESTAccessDeniedHandler accessDeniedHandler;

       @Autowired
       PreAuthenticatedUserDetailsService preAuthenticatedUserDetailsService;

       @Autowired
       public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception 
       auth.authenticationProvider(preauthAuthProvider());
       

       @Bean
       public PreAuthenticatedAuthenticationProvider preauthAuthProvider() 
       PreAuthenticatedAuthenticationProvider preauthAuthProvider = new PreAuthenticatedAuthenticationProvider();
       preauthAuthProvider.setPreAuthenticatedUserDetailsService(preAuthenticatedUserDetailsService);
       return preauthAuthProvider;
       

       @Bean
       public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter() throws Exception 
       RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
       filter.setPrincipalRequestHeader(appConfigProperties.getSecurity().getRequestHeaderTokenKeyName());
       filter.setCredentialsRequestHeader(appConfigProperties.getSecurity().getRequestHeaderTokenKeyName());
       filter.setExceptionIfHeaderMissing(false);
       filter.setAuthenticationManager(authenticationManager());
       return filter;
       

       @Override
       protected void configure(HttpSecurity http) throws Exception 
       RequestMatcher protected_urls = new OrRequestMatcher(new AntPathRequestMatcher(
       appConfigProperties.getSecurity().getProtectedUrls()));
       http
       .sessionManagement()
       .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
       .and()
       .addFilterBefore(requestHeaderAuthenticationFilter(), AnonymousAuthenticationFilter.class)
       .authorizeRequests()
       .antMatchers(HttpMethod.POST , appConfigProperties.getSecurity().getUserAuthenticatePath())
       .hasRole(SPRING_ROLE_ANONYMOUS)
       .requestMatchers(protected_urls).authenticated()
       .and()
       .exceptionHandling()
       .accessDeniedHandler(accessDeniedHandler)
       .authenticationEntryPoint(restAuthenticationEntryPoint)
       .and()
       .csrf().disable()
       .formLogin().disable()
       .httpBasic().disable()
       .logout().disable(); // disable autoconfig
       

       /**
       * Disable Spring boot automatic filter registration.
       */
       @Bean
       FilterRegistrationBean<RequestHeaderAuthenticationFilter> disableAutoRegistration(final RequestHeaderAuthenticationFilter filter) 
       final FilterRegistrationBean<RequestHeaderAuthenticationFilter> registration = new FilterRegistrationBean<>(filter);
       registration.setEnabled(false);
       return registration;
       


      @Component
      @Slf4j
      public class RESTAuthenticationEntryPoint implements AuthenticationEntryPoint 

       @Autowired
       private AppConfigProperties appConfigProperties;

       @Override
       public void commence(final HttpServletRequest request, final HttpServletResponse response,
       final AuthenticationException authException) throws IOException 

       log.error("********* Authentication Entry Point exception", authException);

       response.setContentType("application/json");
       response.setCharacterEncoding("UTF-8");

       String responseContentJson = null;

       response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
       responseContentJson = new Gson().toJson(GlobalExceptionHandler.createSWError(SWErrorCode.HTTP,
       String.format("Failed authentication: missing request header '%s' or invalid value",
       appConfigProperties.getSecurity().getRequestHeaderTokenKeyName())));

       PrintWriter out = response.getWriter();
       out.print(responseContentJson);
       out.flush();
       response.flushBuffer();




      I also tried to use an "accessDeniedHandler" but it never goes through it.



      The issue is that for any exception thrown (either in my custom UserDetailsService or others), it goes through my custom "AuthenticationEntryPoint" with an always similar exception, see below:



      org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource
       at org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:190)
       at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:141)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:121)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
       at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
       at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
       at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
       at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
       at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
       at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
       at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
       at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)
       at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
       at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93)
       at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
       at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:155)
       at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:123)
       at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108)
       at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
       at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
       at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
       at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
       at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
       at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
       at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
       at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
       at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
       at java.lang.Thread.run(Thread.java:748)


      Any idea would be great!






      spring-security exception-handling pre-authentication







      share|improve this question













      I am under Spring Boot 2.0.5 (Spring Security 5.0.8)



      I have setup a preauthentication filter chain, which works fine, only thing problematic is the exception handling, especially those thrown form my custom UserDetailsService. I also tried to return a User with "enabled = false" but still the same.



      See code below for my custom UserDetailsService:



      @Component
      @Slf4j
      public class PreAuthenticatedUserDetailsService
       implements AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> 

       @Autowired
       private AccessService accessService;

       @Override
       public UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken token) throws AuthenticationException 

       String accessId = token.getCredentials() + "";

       try 
       AccessEntity accessEntity = accessService.getAccessByAccessId(accessId);

       if (accessEntity == null) 
       throw new BadCredentialsException(String.format("Unknown access (AccessId=%s)", accessId));
       

       List<AccessRole> accessRoles = accessEntity.getRoles();

       if (!accessEntity.getActive()) 
       return new User(accessEntity.getUid(), accessEntity.getUid(), false, true, true, true, accessRoles.stream()
       .map(role -> new SimpleGrantedAuthority(role.getValue())).collect(Collectors.toList()));
       //throw new AccessDeniedException(String.format("Inactive access (AccessId=%s)", accessId));
       

       return new User(accessEntity.getUid(), accessEntity.getUid(), accessRoles.stream()
       .map(role -> new SimpleGrantedAuthority(role.getValue())).collect(Collectors.toList()));
       catch (Exception e) 
       log.error("Exception in load user details", e);
       throw new BadCredentialsException(String.format("Authentication issue for accessId=%s", accessId));




      And my Security Configuration:



      @Configuration
      @EnableWebSecurity
      @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
      public class SecurityConfiguration extends WebSecurityConfigurerAdapter 

       private static final String SPRING_ROLE_ANONYMOUS = "ANONYMOUS"; // ("ROLE_" is automatically inserted as prefix)

       @Autowired
       private AppConfigProperties appConfigProperties;

       @Autowired
       RESTAuthenticationEntryPoint restAuthenticationEntryPoint;

       @Autowired
       RESTAccessDeniedHandler accessDeniedHandler;

       @Autowired
       PreAuthenticatedUserDetailsService preAuthenticatedUserDetailsService;

       @Autowired
       public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception 
       auth.authenticationProvider(preauthAuthProvider());
       

       @Bean
       public PreAuthenticatedAuthenticationProvider preauthAuthProvider() 
       PreAuthenticatedAuthenticationProvider preauthAuthProvider = new PreAuthenticatedAuthenticationProvider();
       preauthAuthProvider.setPreAuthenticatedUserDetailsService(preAuthenticatedUserDetailsService);
       return preauthAuthProvider;
       

       @Bean
       public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter() throws Exception 
       RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
       filter.setPrincipalRequestHeader(appConfigProperties.getSecurity().getRequestHeaderTokenKeyName());
       filter.setCredentialsRequestHeader(appConfigProperties.getSecurity().getRequestHeaderTokenKeyName());
       filter.setExceptionIfHeaderMissing(false);
       filter.setAuthenticationManager(authenticationManager());
       return filter;
       

       @Override
       protected void configure(HttpSecurity http) throws Exception 
       RequestMatcher protected_urls = new OrRequestMatcher(new AntPathRequestMatcher(
       appConfigProperties.getSecurity().getProtectedUrls()));
       http
       .sessionManagement()
       .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
       .and()
       .addFilterBefore(requestHeaderAuthenticationFilter(), AnonymousAuthenticationFilter.class)
       .authorizeRequests()
       .antMatchers(HttpMethod.POST , appConfigProperties.getSecurity().getUserAuthenticatePath())
       .hasRole(SPRING_ROLE_ANONYMOUS)
       .requestMatchers(protected_urls).authenticated()
       .and()
       .exceptionHandling()
       .accessDeniedHandler(accessDeniedHandler)
       .authenticationEntryPoint(restAuthenticationEntryPoint)
       .and()
       .csrf().disable()
       .formLogin().disable()
       .httpBasic().disable()
       .logout().disable(); // disable autoconfig
       

       /**
       * Disable Spring boot automatic filter registration.
       */
       @Bean
       FilterRegistrationBean<RequestHeaderAuthenticationFilter> disableAutoRegistration(final RequestHeaderAuthenticationFilter filter) 
       final FilterRegistrationBean<RequestHeaderAuthenticationFilter> registration = new FilterRegistrationBean<>(filter);
       registration.setEnabled(false);
       return registration;
       


      @Component
      @Slf4j
      public class RESTAuthenticationEntryPoint implements AuthenticationEntryPoint 

       @Autowired
       private AppConfigProperties appConfigProperties;

       @Override
       public void commence(final HttpServletRequest request, final HttpServletResponse response,
       final AuthenticationException authException) throws IOException 

       log.error("********* Authentication Entry Point exception", authException);

       response.setContentType("application/json");
       response.setCharacterEncoding("UTF-8");

       String responseContentJson = null;

       response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
       responseContentJson = new Gson().toJson(GlobalExceptionHandler.createSWError(SWErrorCode.HTTP,
       String.format("Failed authentication: missing request header '%s' or invalid value",
       appConfigProperties.getSecurity().getRequestHeaderTokenKeyName())));

       PrintWriter out = response.getWriter();
       out.print(responseContentJson);
       out.flush();
       response.flushBuffer();




      I also tried to use an "accessDeniedHandler" but it never goes through it.



      The issue is that for any exception thrown (either in my custom UserDetailsService or others), it goes through my custom "AuthenticationEntryPoint" with an always similar exception, see below:



      org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource
       at org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:190)
       at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:141)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:121)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
       at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
       at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
       at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
       at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
       at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
       at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
       at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
       at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
       at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)
       at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
       at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93)
       at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
       at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:155)
       at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:123)
       at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108)
       at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
       at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
       at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
       at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
       at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
       at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
       at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
       at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
       at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
       at java.lang.Thread.run(Thread.java:748)


      Any idea would be great!






      spring-security exception-handling pre-authentication




      spring-security exception-handling pre-authentication






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 9 at 15:24









      Khalil Bouzekri

      136




      136



























          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53228586%2fpreauthenticatedauthenticationprovider-userdetailsservice-how-to-catch-the-right%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53228586%2fpreauthenticatedauthenticationprovider-userdetailsservice-how-to-catch-the-right%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Kleinkühnau

          Image
          Kleinkühnau Stadt Dessau-Roßlau 51.839444444444 12.184444444444 57 Koordinaten: 51° 50′ 22″  N , 12° 11′ 4″  O Höhe: 57 m Fläche: 9,93 km² Einwohner: 1649  (31. Dez. 2011) Bevölkerungsdichte: 166 Einwohner/km² Eingemeindung: 1. Oktober 1923 Eingemeindet nach: Dessau Postleitzahl: 06846 Vorwahl: 0340 Rathaus (Amtshaus Kühnau e. V.) Ev. Kirche Kleinkühnau Kleinkühnau ist ein Stadtteil von Dessau-Roßlau, einer kreisfreien Stadt im Bundesland Sachsen-Anhalt. Er liegt ungefähr vier Kilometer westlich des Stadtzentrums. Südlich der Kühnauer Straße befinden sich der Flugplatz Dessau, das Technikmuseum Hugo Junkers sowie der Standort der Polizeidirektion Sachsen-Anhalt Ost. Kleinkühnau hat 1649 Einwohner (Stand 31. Dezember 2011). Inhaltsverzeichnis 1 Geschichte 1.1 Bevölkerungsentwicklung 2 Siehe auch 3 Weblinks 4 E...
          Read more

          Makov (Slowakei)

          Image
          Makov Wappen Karte Makov Basisdaten Staat: Slowakei Kraj: Žilinský kraj Okres: Čadca Region: Kysuce Fläche: 46,052 km² Einwohner: 1.720 (31. Dez. 2017) Bevölkerungsdichte: 37 Einwohner je km² Höhe: 583  m n.m. Postleitzahl: 023 56 Telefonvorwahl: 0 41 Geographische Lage: 49° 22′  N , 18° 29′  O 49.366666666667 18.483333333333 583 Koordinaten: 49° 22′ 0″  N , 18° 29′ 0″  O Kfz-Kennzeichen: CA Kód obce: 509299 Struktur Gemeindeart: Gemeinde Verwaltung (Stand: November 2014) Bürgermeister: Martin Pavlík Adresse: Obecný úrad Makov 60 02356 Makov Webpräsenz: www.makov.sk Statistikinformation auf statistics.sk Makov (ungarisch Trencsénmakó – älter auch Makó , polnisch Maków ) ist eine Gemeinde in der Nordwestslowakei. Inhaltsverzeichnis 1 Geographie 1.1 Bevölkerung 2 Ge...
          Read more

          Deutsches Schauspielhaus

          Image
          Deutsches Schauspielhaus Hamburg Aktie über 1000 Mark der Deutsche Schauspielhaus AG vom 20. Juni 1899 Das Deutsche Schauspielhaus im Hamburger Stadtteil St. Georg ist mit 1200 Plätzen das größte Sprechtheater Deutschlands. Entstanden ist es durch eine private Initiative von Bürgern und der 1899 gegründeten „Aktiengesellschaft Deutsches Schauspielhaus“. Die Pläne stammen von dem Wiener Architekturbüro Fellner und Helmer, die das neobarocke Gebäude nach dem Vorbild des Wiener Volkstheaters gestalteten. Am 15. September 1900 wurde das Theater mit einer Aufführung der Iphigenie auf Tauris feierlich eröffnet. Der Name Deutsches Schauspielhaus knüpft an die Tradition des Hamburger Nationaltheaters an, das Mitte des 18. Jahrhunderts durch Hamburger Bürger betrieben wurde und an dem Gotthold Ephraim Lessing als Dramaturg tätig war. Das Schauspielhaus hat die Theatergeschichte der Stadt im 20. Jahrhundert entsc...
          Read more