Home/ Questions/Q 8524437
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T07:41:11+00:00

I have a simple authentication provider that I’m trying to use with Spring Security.

  • 0

I have a simple authentication provider that I’m trying to use with Spring Security.

<security:http auto-config="true" use-expressions="true">
    <security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:http>
<security:authentication-manager>
    <security:authentication-provider
        ref="ipAddressAuthenticationProvider" />
</security:authentication-manager>

Currently, with the above configuration, the user is redirected to a logon page when the first visit. I do not want this redirect. I’m trying to hit this authentication provider on every page visit. Any way to make this work without writing additional custom code?

I’m guessing I need to cleanly get rid of form filter and basic filter somehow.

Result

I got it working with the config below. I had to extend AbstractPreAuthenticatedProcessingFilter and simply return ""; for both of its abstract methods.

<security:http use-expressions="true" entry-point-ref="http403ForbiddenEntryPoint">
    <security:intercept-url pattern="/**" access="isAuthenticated()" />
    <security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter" />
</security:http>
<bean id="preAuthFilter" class="com.hercules.ratinggame.business.security.IpAddressPreAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
</bean>
<bean id="http403ForbiddenEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider
        ref="ipAddressAuthenticationProvider" />
</security:authentication-manager>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Currently you use auto-config="true" which means you get few filters configured iunder the hood, including <form-login> element with UsernamePasswordAuthenticationFilter filter.

    Also, to hit this authentication provider on every page visit you’ll need a filter which can obtain data from request (IP address as far as I can see). The filter will probably be RequestHeaderAuthenticationFilter or more likely your own AbstractPreAuthenticatedProcessingFilter implementation which will have access to your autentication-manager.

    To sum up, configuration will look like:

    <security:http use-expressions="true">
    <security:intercept-url pattern="/**" access="isAuthenticated()" />
    <security:logout /> <!-- optional -->
    <security:custom-filter position="PRE_AUTH_FILTER"
            ref="ipFromRequestPreAuthenticationFilter" />
</security:http>

<!-- this will probably extend AbstractPreAuthenticatedProcessingFilter -->
<bean id="ipFromRequestPreAuthenticationFilter"
        class="com.example.IpFromRequestPreAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
</bean>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="ipAddressAuthenticationProvider" />
</security:authentication-manager>
    • 0