search

mitreid-connect / OpenID-Connect-Java-Spring-Server

An OpenID Connect reference implementation in Java on the Spring platform.
Other
1.48k stars 765 forks source link

How to change AuthenticationFilter from UsernamePasswordAuthenticationFilter to custom AuthenticationFilter #1423

Open bejondshao opened 6 years ago

bejondshao commented 6 years ago

Hi there, I know the issue is kind of should not be here. But I've searched for days to change default authentication filter. The sample from google shows about spring boot config. Like #EnableWebSecurity BrowserSecurityConfig extends WebSecurityConfigurerAdapter, I set breakpoint to configure() nothing happened. I try to change user-context.xml to 


    <security:authentication-manager id="authenticationManager">
        <security:authentication-provider>
            <security:jdbc-user-service data-source-ref="dataSource"/>
        </security:authentication-provider>
    </security:authentication-manager>

    <mvc:view-controller path="/login" view-name="login_mobile" />

    <bean id="mobileAuthenticationProvider" class="org.mitre.openid.connect.mobile.MobileAuthenticationProvider">
    </bean>

    <bean id="mobileAuthenticationFilter" class="org.mitre.openid.connect.filter.MobileAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager" />

    </bean>
    <security:http authentication-manager-ref="authenticationManager"> 

        <security:intercept-url pattern="/authorize" access="hasRole('ROLE_USER')" />
        <security:intercept-url pattern="/**" access="permitAll" />

        <security:form-login login-page="/login" authentication-failure-url="/login?error=failure" authentication-success-handler-ref="authenticationTimeStamper" />
        <security:custom-filter ref="mobileAuthenticationFilter" after="SECURITY_CONTEXT_FILTER" />
        <security:logout logout-url="/logout" />
        <security:anonymous />
        <security:expression-handler ref="oauthWebExpressionHandler" />
        <security:headers>
            <security:frame-options policy="DENY" />
        </security:headers>
        <security:csrf />
    </security:http>

I can use custome login page, but when I click "Login", it filtered by MobileAuthenticationFilter, but didn't call attemptAuthentication(). It is always catched by UsernamePasswordAuthenticationFilter and call attemptAuthentication(). I believe I should change user-context.xml, but can you point out where I'm wrong? Thanks.

bejondshao commented 6 years ago

Update: I find out the reason. I set regex in MobileAuthenticationFilter is not "/login". After change to "/login", it works. But change <security:form-login login-page="/login" to <security:form-login login-page="/newlogin" doesn't work...

And a new issue comes, No AuthenticationProvider found for org.mitre.openid.connect.mobile.MobileAuthenticationToken is thrown when do No AuthenticationProvider found for org.mitre.openid.connect.mobile.MobileAuthenticationToken;. I'm sure MobileAuthenticationProvider implements supports() with 

    @Override
    public boolean supports(Class<?> authentication) {
        return MobileAuthenticationToken.class.isAssignableFrom(authentication);
    }

Maybe I didn't regist MobileAuthenticationProvider to AuthoriticationManager? How to regist it through xml?

============= Update:

Finally, I regist it via xml.

    <security:authentication-manager id="authenticationManager">
        <security:authentication-provider ref="mobileAuthenticationProvider" />
        <security:authentication-provider>
            <security:jdbc-user-service data-source-ref="dataSource"/>
        </security:authentication-provider>
    </security:authentication-manager>
bejondshao commented 6 years ago

I met a new issue now. It shows me login successfully. And I get a token. It also can get user by username in UserInfoInterceptor. But the home page is still shows "Login", when I click it. It redirect me to login page.