CODEWITHSUNDEEP
javaspringauthenticationspring-securityspring-boot
mcamier
mcamier

Reputation: 426

Differents authentication ways on same URLs with spring-boot

I'm working on a spring boot web app project configured by annotations. I successfully configured spring-security to add basic authentication on some URLs and sso on some others. But actually I have to modify that behavior to achieve this :

All my URLs are secured by the both authentication methods, to identify the way to use I have to read the request's headers : if there is a ppauth token, I gonna try sso authentication, and if I have a Authoriation: Basic header I gonna try Basic auth. In the other case the authentication fails.

In the spring boot documentation the exemple is really simple, it shows the usage of WebSecurityConfigurerAdapter, actually we can determine authentication method by different URLs patterns but not by other predicate like headers.

Has somebody an idea ?

Upvotes: 4

Views: 2180

Answers (2)

mcamier
mcamier

Reputation: 426

Finally I got a solution to this problem so I will briefly share it :

So we have multiple Authentication ways, described in several classes extending AbstractPreAuthenticatedProcessingFilter. (all those will not be added to the filter chain)

In top of that we got a MultiAuthModeSecurityFilter, this class will be added to the filter chain of the application :

Inside the configure method of the WebSecurityConfigurerAdapter

http.addFilterBefore(new MultiAuthModeSecurityFilter(
                FirstSecurityFilter(),
                SecondSecurityFilter(),
                ThirdSecurityFilter()), RequestCacheAwareFilter.class);

So MultiAuthModeSecurityFilter knows all ours security strategies and will dispatch the request to the correct filter by doing : 

    @Override
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            /*some actions to define the right authMethod to use*/
            switch (authMethod) {
                case FIRST:
                    firstFilter.doFilter(servletRequest, servletResponse, filterChain);
                    break;
                case SECOND:
                    secondFilter.doFilter(servletRequest, servletResponse, filterChain);
                    break;
                case THIRD:
                    thirdFilter.doFilter(servletRequest, servletResponse, filterChain);
                    break;
                default:
                    /* throws exception */ break;
            }
        }

Hope this will help you !

Upvotes: 2

Dave Syer
Dave Syer

Reputation: 58124

There's always more than one way to do something. In this case the easiest is probably to write your sso filter in such a way that it continues with the chain if there is no custom header, and put it before the basic auth filter. Then if your custom filter skips the request it will be handled by the basic auth.

Upvotes: 0

Related Questions