Skip to content

SecurityFilterChain picks up wrong Authentication Provider #11601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pavankjadda opened this issue Jul 20, 2022 · 4 comments
Closed

SecurityFilterChain picks up wrong Authentication Provider #11601

pavankjadda opened this issue Jul 20, 2022 · 4 comments
Assignees
@jzheaux
Labels
for: stackoverflow A question that's better suited to stackoverflow.com in: web An issue in web modules (web, webmvc)

Comments

@pavankjadda
Copy link

Describe the bug
In my project we have 2 SecurityFilterChains

  1. externalFilterChain for external API requests
  2. defaultlFilterChain for Angular/React client applications

We use LDAP and JDBC authentication. Both activeDirectoryLdapAuthenticationProvider and daoAuthenticationProvider injected as beans. But externalFilterChain picks up daoAuthenticationProvider even though I specifically said it to use activeDirectoryLdapAuthenticationProvider

To Reproduce

External API FilterChain:

@Bean
public SecurityFilterChain externalFilterChain(HttpSecurity http) throws Exception {
	return http.antMatcher("/api/v1/external/search/**")
		.httpBasic(basic -> {})
		.authorizeRequests(authorize -> authorize.anyRequest().authenticated())
		.authenticationProvider(activeDirectoryLdapAuthenticationProvider)
		.build();
}

Default FilterChain:

@Bean
public SecurityFilterChain defaultFilterChain(HttpSecurity http) throws Exception {
	return http
		.httpBasic(basic -> {})
		.authorizeRequests(authorize -> authorize.anyRequest().authenticated())
		.authenticationProvider(activeDirectoryLdapAuthenticationProvider())
		.authenticationProvider(daoAuthenticationProvider())
		.build();
}

AuthenticationProvider Beans:

    @Bean
    public CustomDaoAuthenticationProvider getDaoAuthenticationProvider() {
        CustomDaoAuthenticationProvider daoAuthenticationProvider = new CustomDaoAuthenticationProvider();
        daoAuthenticationProvider.setUserDetailsService(presDbUserDetailsService);
        daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
        return daoAuthenticationProvider;
    }


   @Bean
    public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
        ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider =
                new ActiveDirectoryLdapAuthenticationProvider(ldapProperties.getDomain(), ldapProperties.getUrl());
        activeDirectoryLdapAuthenticationProvider.setConvertSubErrorCodesToExceptions(true);
        activeDirectoryLdapAuthenticationProvider.setUserDetailsContextMapper(new UserDetailsContextMapper() {
   ..........     
})

        return activeDirectoryLdapAuthenticationProvider;
    }

Expected behavior
User should be authenticated with provided Authentication Provider

Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.
@pavankjadda pavankjadda added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jul 20, 2022
@pavankjadda
Copy link
Author

Could be related #10005

@jzheaux
Copy link
Contributor

jzheaux commented Jul 20, 2022

@pavankjadda, when I copy the beans into my IDE, they don't compile due to referring to several other components in your application.

Will you please post a minimal sample? The best way is to share a GitHub repo that has only the necessary components to reproduce the issue.

@jzheaux jzheaux self-assigned this Jul 20, 2022
@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jul 20, 2022
@pavankjadda
Copy link
Author

pavankjadda commented Jul 22, 2022
edited
Loading

I created new repository that reproduces the issue. Make sure replace the AD config based on your environment.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Jul 22, 2022
@jzheaux
Copy link
Contributor

jzheaux commented Jan 7, 2023

Sorry for the delay on this ticket, @pavankjadda.

I believe this is because HttpSecurity will pick up all authentication providers from beans as well as the DSL and consolidate them.

What I'd recommend instead is to formulate two AuthenticationManagers and set them on your DSLs like so:

@Bean
public SecurityFilterChain externalFilterChain(HttpSecurity http, 
        ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider) throws Exception {

        ProviderManager manager = new ProviderManager(activeDirectoryLdapAuthenticationProvider);

	return http.antMatcher("/api/v1/external/search/**")
		.httpBasic(basic -> {})
		.authorizeRequests(authorize -> authorize.anyRequest().authenticated())
		.authenticationManager(manager)
		.build();
}

@Bean
public SecurityFilterChain defaultFilterChain(HttpSecurity http,
        ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider,
        DaoAuthenticationProvider daoAuthenticationProvider) throws Exception {

        ProviderManager manager = new ProviderManager(
                activeDirectoryLdapAuthenticationProvider, daoAuthenticationProvider);

	return http
		.httpBasic(basic -> {})
		.authorizeRequests(authorize -> authorize.anyRequest().authenticated())
		.authenticationManager(manager)
		.build();
}

Because there is only one component for the DSL to decide on in this case, the precedence rules are a bit easier to manage with this arrangement.

@jzheaux jzheaux closed this as completed Jan 7, 2023
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) for: stackoverflow A question that's better suited to stackoverflow.com and removed status: feedback-provided Feedback has been provided labels Jan 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
for: stackoverflow A question that's better suited to stackoverflow.com in: web An issue in web modules (web, webmvc)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jzheaux @spring-projects-issues @pavankjadda