[SOLVED] springboot 3.1.3 problem with customfilter extending AbstractAuthenticationProcessingFilter

springboot 3.1.3 problem with customfilter extending AbstractAuthenticationProcessingFilter

So I have observed that when I am trying to use custom filter in security chain, i am not getting session cookie... Why i am doing that ? Because i want to send username and password in JSON not in query string...

I based on this:

https://ckinan.com/blog/spring-security-credentials-from-json-request/

I checked that:

Spring security- Send credentials as json instead of regular form in rest service

My custom filter:

public class CustomFilter extends AbstractAuthenticationProcessingFilter {
    protected CustomFilter() {
        super(new AntPathRequestMatcher("/login", "POST"));
    }

    @Override
    public Authentication attemptAuthentication(
            HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

        String username, password;

        try {
            Map<String, String> requestMap = new ObjectMapper().readValue(request.getInputStream(), Map.class);
            username = requestMap.get("username");
            password = requestMap.get("password");
        } catch (IOException e) {
            throw new AuthenticationServiceException(e.getMessage(), e);
        }

        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
                username, password);

        return this.getAuthenticationManager().authenticate(authRequest);
    }
}

my securityConfig:

    public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception {
        return authConfig.getAuthenticationManager();
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        CustomFilter mupaf = new CustomFilter();
        mupaf.setAuthenticationManager(authenticationManager(authenticationManagerBuilder));

        http.csrf(AbstractHttpConfigurer::disable)
                .sessionManagement((sessionManagement) ->
                        sessionManagement.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                                .sessionFixation().changeSessionId())
                .authorizeHttpRequests((authorizeHttpRequests) ->
                        authorizeHttpRequests.requestMatchers("/index").permitAll()
                                .requestMatchers("/login").permitAll()
                                .anyRequest().authenticated()
                ).addFilterAt(mupaf, UsernamePasswordAuthenticationFilter.class
                )
                .logout((logout) ->
                        logout.deleteCookies("remove")
                                .invalidateHttpSession(false)
                                .logoutSuccessUrl("/index")
                );
        return http.build();
    }

server answer:

❯ curl -X POST http://localhost:8080/login -H 'Content-Type: application/json' -d '{"username":"admin","password":"pass"}' -i
HTTP/1.1 302
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:8080/
Content-Length: 0
Date: Sun, 08 Oct 2023 21:39:46 GMT

When I disable filter response is:

❯ curl -X POST http://localhost:8080/login\?username\=ADMIN\&password\=pass -i
HTTP/1.1 302
Set-Cookie: SESSION=40E7A645752D0AACFA52C79D5DEA10EF; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:8080/
Content-Length: 0
Date: Sun, 08 Oct 2023 21:41:20 GMT

And security config looks like that:

    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.csrf(AbstractHttpConfigurer::disable)
                .sessionManagement((sessionManagement) ->
                        sessionManagement.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                                .sessionFixation().changeSessionId())
                .authorizeHttpRequests((authorizeHttpRequests) ->
                        authorizeHttpRequests.requestMatchers("/index").permitAll()
                                .requestMatchers("/login").permitAll()
                                .anyRequest().authenticated()
                ).formLogin((formLogin) ->
                        formLogin.defaultSuccessUrl("/success", true)
                                .failureHandler(customLoginFailureHandler)
                                .successHandler(customLoginSuccessHandler)
                )
                .logout((logout) ->
                        logout.deleteCookies("remove")
                                .invalidateHttpSession(false)
                                .logoutSuccessUrl("/index")
                );
        return http.build();
    }

Solution

    CustomFilter mupaf = new CustomFilter();
    mupaf.setAuthenticationManager(authConfig.getAuthenticationManager());
    SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
    if (securityContextRepository == null) {
        mupaf.setSecurityContextRepository(new DelegatingSecurityContextRepository(new RequestAttributeSecurityContextRepository(), new HttpSessionSecurityContextRepository()));
    }