CODEWITHSUNDEEP
javaspringspring-securityrestful-authentication
hiemer
hiemer

Reputation: 101

Spring Security: AuthenticationProcessingFilter is called twice

I try configure Spring Security via token authorization in RESTful application.

My AuthenticationFilter looks like:

@Configurable

public class CustomTokenAuthenticationFilter extends AbstractAuthenticationProcessingFilter {

    private static final Logger logger = LoggerFactory.getLogger(CustomTokenAuthenticationFilter.class);

    private final static String SECRET_KEY = "ThisIsASecretKey";
    public final String HEADER_SECURITY_TOKEN = "X-Token";

    @Inject
    private Users usres;

    public CustomTokenAuthenticationFilter(String defaultFilterProcessesUrl) {
        super(defaultFilterProcessesUrl);
        super.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher(defaultFilterProcessesUrl));
        setAuthenticationManager(new NoOpAuthenticationManager());
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws IOException,
            ServletException {
        String token = request.getHeader(HEADER_SECURITY_TOKEN);

        logger.info("token found:" + token);
        TokenInfo tokenInfo = new TokenInfo(token, SECRET_KEY);

        AbstractAuthenticationToken userAuthenticationToken;
        try {
            userAuthenticationToken = authUserByToken(tokenInfo);
            if (userAuthenticationToken == null)
                throw new AuthenticationServiceException(MessageFormat.format("Error | {0}", "Bad Token"));

            return userAuthenticationToken;
        } catch (ParseException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
        return null;
    }

    private AbstractAuthenticationToken authUserByToken(TokenInfo token) throws ParseException {
        if (token == null) {
            return null;
        }
        UserInfo userInfo = usres.findUser(token.getUsername());
        ModelMapper mapper = new ModelMapper();
        mapper.getConfiguration().setProvider(new UserProvider());

        User userDetails = mapper.map(userInfo, User.class);
        AbstractAuthenticationToken authToken = new AuthenticationToken(userDetails);

        try {
            return authToken;
        } catch (Exception e) {
            logger.error("Authenticate user by token error: ", e);
        }
        return authToken;
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

        setAuthenticationSuccessHandler(new SimpleUrlAuthenticationSuccessHandler() {
            @Override
            public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
                    throws IOException, ServletException {
                chain.doFilter(request, response);
            }
        });
        super.doFilter(req, res, chain);
    }

}

and Spring Security config:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Inject
    AuthenticationManager authenticationManager;

    @Bean
    protected AbstractAuthenticationProcessingFilter getTokenAuthFilter() throws Exception {
        CustomTokenAuthenticationFilter tapf = new CustomTokenAuthenticationFilter("/api/secure-module/admin/**");
        tapf.setAuthenticationManager(authenticationManager);
        return tapf;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);

        http.csrf().disable().addFilterBefore(getTokenAuthFilter(), AnonymousAuthenticationFilter.class).exceptionHandling()
                .authenticationEntryPoint(new RestAuthenticationEntryPoint());

    }

}

It works fine but CustomTokenAuthenticationFilter is called twice and I don't know why. Any ideas?

Upvotes: 3

Views: 3839

Answers (2)

Abe
Abe

Reputation: 31

I had a similar experience when the Filter was generating an exception causing a redirect to /error which triggered the Filter again. I had to specify

@Override
public void configure(WebSecurity web) throws Exception {
    // ignoring security for /error
    web.ignoring().antMatchers("/error");
}

Upvotes: 2

hiemer
hiemer

Reputation: 101

I found problem, it is @Bean annotation in getTokenAuthFilter method. Then I had 2 registered filter in chain (additionalFilters, originalChain).

Upvotes: 6

Related Questions