spring - How springSecurityFilterChain Skips Authentication for already logged in requests -

- April 15, 2011

i have been working on spring security, , working well. went debugging how works. filters configured springsecurityfilterchain via http namespace. 1 of them authentication filter providing authentication. found when new login request comes(no previous session) authentication filter invoked, when request comes logged in user, i.e, session existing, authenticationfilter not invoked. coudn't find , how 'springsecurity' skips authentication logged in requests. please me understand this.

thanks

i think sessionmanagementfilter takes care of this:

        if (!securitycontextrepository.containscontext(request)) {         authentication authentication = securitycontextholder.getcontext().getauthentication();          if (authentication != null && !authenticationtrustresolver.isanonymous(authentication)) {          // user has been authenticated during current request, call session strategy             try {                 sessionauthenticationstrategy.onauthentication(authentication, request, response);             } catch (sessionauthenticationexception e) {                 // session strategy can reject authentication                 logger.debug("sessionauthenticationstrategy rejected authentication object", e);                 securitycontextholder.clearcontext();                 failurehandler.onauthenticationfailure(request, response, e);                  return;             }             // eagerly save security context make available possible re-entrant             // requests may occur before current request completes. sec-1396.             securitycontextrepository.savecontext(securitycontextholder.getcontext(), request, response);         } else {          // no security context or authentication present. check session timeout             if (request.getrequestedsessionid() != null && !request.isrequestedsessionidvalid()) {                 if(logger.isdebugenabled()) {                     logger.debug("requested session id " + request.getrequestedsessionid() + " invalid.");                 }                  if (invalidsessionstrategy != null) {                     invalidsessionstrategy.oninvalidsessiondetected(request, response);                     return;                 }             }         }     }

of course there's more here meets eye. authentication stored in threadlocal:

in spring security, responsibility storing securitycontext between requests falls securitycontextpersistencefilter, default stores context httpsession attribute between http requests. restores context securitycontextholder each request and, crucially, clears securitycontextholder when request completes. shouldn't interact directly httpsession security purposes. there no justification doing - use securitycontextholder instead.

so it's responsibility of securitycontextpersistencefilter load context data (and erase later), other modules down filter chain make decisions based on data. (for example skip or authentication via usermanager service)

i'm not springsecurity developer, take info educated guess :)

Search This Blog

Convert PH

spring - How springSecurityFilterChain Skips Authentication for already logged in requests -

Comments

Post a Comment

Popular posts from this blog

c# - SVN Error : "svnadmin: E205000: Too many arguments" -

c# - Copy ObservableCollection to another ObservableCollection -

All overlapping substrings matching a java regex -