CODEWITHSUNDEEP
javaauthenticationspring-bootcustom-authentication
jw-at
jw-at

Reputation: 51

customAuthenticationProvider authenticate called twice

I've already researched this and I thought as the comment (below the answer actually in this thread: ProviderManager.authenticate called twice for BadCredentialsException) would be my solution ... but I'm still getting double submission/calls to authenticate. The second one has an empty password every time. The first call has credentials.

Below is the Java Config class and the CustomAuthProvider class ..

@Configuration
@EnableWebSecurity
public class UserWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { 
@Override
protected void configure(HttpSecurity http) throws Exception {
    //@formatter:off
    http.antMatcher("/**")
            .authorizeRequests()
            .antMatchers("/", "/home**", "/login**","/create_user")
            .permitAll().anyRequest().authenticated()
        .and()
            .formLogin()
            .loginPage("/login")
            .loginProcessingUrl("/login")
            .failureUrl("/login?error")
        .and()
            .logout()
            .logoutSuccessUrl("/login?logout")
            .permitAll()
        .and()
            .exceptionHandling().accessDeniedPage("/login?denied") //in this simple case usually due to a InvalidCsrfTokenException after session timeout
        .and()
            .csrf()
                .ignoringAntMatchers("/rest/**")
        .and()
            .sessionManagement().enableSessionUrlRewriting(false)
        .and()
            .headers().frameOptions().deny();
}

... then the customAuthProvider ...

@Component
public class CustomAuthProvider implements AuthenticationProvider {

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    if (authentication.getName() == null) {
        logger.warn("empty userName");
        return null;
    }

    if (authentication.getCredentials() == null) {
        logger.warn("empty password");
        return null;
    }

// code to check credentials etc ...

 if (!(user != null && userHash.equals(storedHash))) {
        System.out.println("fail");
        return  null;
    }

    return new UsernamePasswordAuthenticationToken(user,password);

}

Upvotes: 1

Views: 1861

Answers (1)

jw-at
jw-at

Reputation: 51

Modified the auth provider code to end with an empty grant list and return the authenticationToken ... now it works.

// ...        
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(user,password, new ArrayList<>());
return authenticationToken;

Upvotes: 2

Related Questions