Custom Authentication Provider is not getting called Spring Security

Question

I am trying to implement a custom AuthenticationProvider to authenticate calls to all my protected URLs. I have implemented all the methods and believe that my xml configuration is correct, but calls to protected URLs always go to the entry-point-ref class (where I throw a 401 error). This is skipping my authentication provider (I have log statements inside my authenticate method and know it is not getting called). From other posts I have learned that the supports method could be the culprit, but I have set it to always return true so this should not be my issue.

Code for my security-context:



Code for web.xml:




    The definition of the Root Spring Container shared by all Servlets and Filters -->
    
        contextConfigLocation
        
            /WEB-INF/spring/security-context.xml
        
    

    
    
        org.springframework.web.context.ContextLoaderListener
    

    
        springSecurityFilterChain
        org.springframework.web.filter.DelegatingFilterProxy
    

    
        springSecurityFilterChain
        /*
    




UnauthorizedEntryPoint:

public class UnauthorizedEntryPoint implements AuthenticationEntryPoint {

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException authenticationException) throws IOException, ServletException {
        System.out.println("in unauth");
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication Failure: UnauthorizedEntryPoint Token invalid");
    }

}


AuthenticationProvider: (Currently not doing any authenticating here)

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

    @Override
    public Authentication authenticate(Authentication auth)
            throws AuthenticationException {
        System.out.println("in authenticate");
        String username = auth.getName();
        String password = auth.getCredentials().toString();
        List AUTHORITIES = new ArrayList();
        System.out.println("username: "+username+". password: "+ password);
        if (true) { //checkPassword(password, user.getPasswords())) {
            AUTHORITIES.add(new SimpleGrantedAuthority("ROLE_USER"));
            return new UsernamePasswordAuthenticationToken(auth.getName(), auth.getCredentials(), AUTHORITIES);
        }
        return null;
    }

    @Override
    public boolean supports(Class authentication) {
        return true;
    }


Update:
I am testing this using the Advanced Rest Client using parameters j_username and j_password. Is that correct or is that the problem?

Do you have any insight into what might be the problem? 

Thanks!

Shaun the Sheep · Accepted Answer

You have no web authentication mechanism configured, hence there is nothing to invoke the authentication manager. As a result, the request always hits your authentication entry point (which is invoked for unauthenticated users) and you get the error you observe. Typically the authentication entry point will do something like redirect to a login form, or send a WWW-Authenticate header.

You need to configure something like form or basic authentication (see either the manual or the samples that come with the project). Note that you have also configured the application to be stateless, so each request needs to be authenticated.

Custom Authentication Provider is not getting called Spring Security

Answers (2)

Related Questions