In my Spring Boot app, I have AuthenticationFilter
class with attemptAuthentication
and successfulAuthentication
methods that handle authentication:
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
Authentication authentication = null;
UserLoginRequestModel userLoginRequestModel = extractCredentials(request);
UsernamePasswordAuthenticationToken userToken = new UsernamePasswordAuthenticationToken(
userLoginRequestModel.getUsername(), userLoginRequestModel.getPassword(), new ArrayList<>());
authentication = authenticationManager.authenticate(userToken);
// At this point, and once user is authenticated, I get a list of granted authorities.
// I want to cancel the authentication (make user no longer authenticated) if the list of authorities
// does not contain authorities I need.
// for example, I want this user to be authenticated only if authorities contain
// AUTHORITY-1, AUTHORITY-2, but otherwise make the authentication as NOT AUTHENTICATED.
return authentication;
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authentication) throws IOException, ServletException {
String userId = ((UserDetails)authentication.getPrincipal()).getUsername();
Collection<GrantedAuthority> grantedAuthories = authentication.getAuthorities();
// ... do some stuff with reponse
}
My authentication is working as expected and I am able to authenticate successfully.
However, being still new with Spring Security, I am trying to figure out how to invalidate a successful authentication based on below.
Once user is authenticated in the attemptAuthentication
method, I want to be able to cancel that authentication based on list of user authorities returned to me.
I want to do something like in this pseudocode:
if (authentication.getAuthorities() does not contain AUTHORITY-1) {
set user back to not authenticated // HOW DO I DO THIS PART?
}
I have looked at some properties of Authentication
object and I see it has setAuthenticated(false)
but doint that changes nothing, the successfulAuthentication
method is still invoked as when a user is successfully authenticated.
How do I invalidate the authentication object returned in attemptAuthentication
method?
According to the docs, the implementation of the attemptAuthentication
method should do one of the following:
- Return a populated authentication token for the authenticated user, indicating successful authentication
- Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
- Throw an
AuthenticationException
if the authentication process fails
To invalidate the authentication, AuthenticationException
should be thrown. Since it's an abstract class, it cannot be thrown directly, you can create your own concrete subclass, or use one of the existing ones listed here.