Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HttpServlet3RequestFactory should set 'details' when creating the authentication token. #9579

Closed
karltinawi opened this issue Apr 9, 2021 · 3 comments
Closed

HttpServlet3RequestFactory should set 'details' when creating the authentication token. #9579

karltinawi opened this issue Apr 9, 2021 · 3 comments
Assignees
@jzheaux
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Milestone
5.7.0-M1

Comments

@karltinawi
Copy link
Contributor

Expected Behavior

When triggering authentication by calling the login method on a HttpServlet3RequestFactory (i.e. after account activation) I'd expect the details to be set on the generated UsernamePasswordAuthenticationToken.

Not sure how best to customise the authentication details source at this level, but one option could be to use the WebAuthenticationDetailsSource by default as is the case when authenticating via an authentication filter (e.g. UsernamePasswordAuthenticationFilter).

Current Behavior

Currently the login mechanism when triggered by executing HttpServlet3RequestFactory#login does not set any details on the underlying authentication token that is authenticated.

For my use-case for example, I listen for an AuthenticationSuccessEvent, which is fired upon successful login. I create a respective entry in the database to track the login request using the Authentication token along with the remote address that I obtain from the associated WebAuthenticationDetails. However, the above approach does not expose such details to the token.

Context

My workaround currently is to explicitly reference the Spring Security Authentication Manager in the service layer (for example) and manually create the authentication token with the required details (i.e. to replicate somewhat what is happening in the HttpServlet3RequestFactory class).

However, I like the approach of abstracting away from Spring Security where possible and let the incoming request handle/trigger the authentication as I guess is the intention.
@karltinawi karltinawi added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Apr 9, 2021
@jzheaux
Copy link
Contributor

jzheaux commented Apr 10, 2021

Thanks for the suggestion, @karltinawi. Would you be able to submit a PR to add this?

For now, I believe it would be best to use a hard-coded AuthenticationDetailsSource inside HttpServlet3RequestFactory as I wonder whether this will change to using an AuthenticationConverter down the road.

@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) status: ideal-for-contribution An issue that we actively are looking for someone to help us with and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 10, 2021
@karltinawi
Copy link
Contributor Author

Hey @jzheaux - yup for sure. I'll submit a PR in the next couple of days.

@karltinawi karltinawi mentioned this issue Apr 11, 2021
Closed
@karltinawi
Copy link
Contributor Author

Hey @jzheaux - PR created for review. I've gone for the approach of hardcoding the AuthenticationDetailsSource as you suggested. The default instance though can be overridden by the ServletApiConfigurer if a shared object of type AuthenticationDetailsSource has been registered.

Hopefully this will provide enough flexibility for the time being.

Thanks again for reviewing this issue.

@jzheaux jzheaux self-assigned this Apr 16, 2021
@jzheaux jzheaux removed the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label Apr 16, 2021
@sjohnr sjohnr closed this as completed in c57fc30 Dec 2, 2021
@sjohnr sjohnr added this to the 5.7.0-M1 milestone Dec 2, 2021
sjohnr pushed a commit that referenced this issue Dec 3, 2021
@karltinawi @sjohnr
Set details on authentication token created by HttpServlet3RequestFac…
925d531 
…tory

Currently the login mechanism when triggered by executing HttpServlet3RequestFactory#login does not set any details on the underlying authentication token that is authenticated.

This change adds an AuthenticationDetailsSource on the HttpServlet3RequestFactory, which defaults to a WebAuthenticationDetailsSource.

Closes gh-9579
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
5.7.0-M1
Development

Successfully merging a pull request may close this issue.

Set 'details' on authentication token created by HttpServlet3RequestFactory
3 participants
@jzheaux @sjohnr @karltinawi