Reputation: 426
I'm working on a spring boot web app project configured by annotations. I successfully configured spring-security to add basic authentication on some URLs and sso on some others. But actually I have to modify that behavior to achieve this :
All my URLs are secured by the both authentication methods, to identify the way to use I have to read the request's headers : if there is a ppauth token, I gonna try sso authentication, and if I have a Authoriation: Basic header I gonna try Basic auth. In the other case the authentication fails.
In the spring boot documentation the exemple is really simple, it shows the usage of WebSecurityConfigurerAdapter, actually we can determine authentication method by different URLs patterns but not by other predicate like headers.
Has somebody an idea ?
Upvotes: 4
Views: 2180
Reputation: 426
Finally I got a solution to this problem so I will briefly share it :
So we have multiple Authentication ways, described in several classes extending AbstractPreAuthenticatedProcessingFilter
. (all those will not be added to the filter chain)
In top of that we got a MultiAuthModeSecurityFilter
, this class will be added to the filter chain of the application :
Inside the configure
method of the WebSecurityConfigurerAdapter
http.addFilterBefore(new MultiAuthModeSecurityFilter(
FirstSecurityFilter(),
SecondSecurityFilter(),
ThirdSecurityFilter()), RequestCacheAwareFilter.class);
So MultiAuthModeSecurityFilter
knows all ours security strategies and will dispatch the request to the correct filter by doing :
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
/*some actions to define the right authMethod to use*/
switch (authMethod) {
case FIRST:
firstFilter.doFilter(servletRequest, servletResponse, filterChain);
break;
case SECOND:
secondFilter.doFilter(servletRequest, servletResponse, filterChain);
break;
case THIRD:
thirdFilter.doFilter(servletRequest, servletResponse, filterChain);
break;
default:
/* throws exception */ break;
}
}
Hope this will help you !
Upvotes: 2
Reputation: 58124
There's always more than one way to do something. In this case the easiest is probably to write your sso filter in such a way that it continues with the chain if there is no custom header, and put it before the basic auth filter. Then if your custom filter skips the request it will be handled by the basic auth.
Upvotes: 0