samedi 25 avril 2015

Why SpringSecurity, after a logout, keeps giving the same authenticated Principal


So I am using Spring Security with Spring Boot. I wanted to make my own AuthenticationProvider, that was using the db in my very own way, so I did it with this authenticate method:

@Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String email = authentication.getName();
        String password = authentication.getCredentials().toString();


        UserWithEmail userWithEmail = authService.getUserByEmail(email);
        if (userWithEmail == null)
            return null;
        if (userWithEmail.getPassword().equals(password)) {



            UsernamePasswordAuthenticationToken authenticated_user = new UsernamePasswordAuthenticationToken(userWithEmail, password, Arrays.asList(REGISTERED_USER_SIMPLE_GRANTED_AUTHORITY));
            return authenticated_user;
        } else {
            return null;
        }
    }

This, if I use the default /login page with the form, works well and after that if I add the following ModelAttribute to a Controller, it gets correctly filled with the UserWithEmail object:

@ModelAttribute("userwithemail")
    public UserWithEmail userWithEmail(){
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

        Object principal = authentication.getPrincipal();
        if (principal instanceof UserWithEmail)
            return (UserWithEmail) principal;
        else
            return null;

    }

The problem is that if I hit /login?logout, it correctly displays that I am logged out, but if I go through the controller again I still get the same UserWithEmail object as principal and it has the property authenticated=true

This is my Java config for spring security:

http
                .formLogin()
                .defaultSuccessUrl( "/" )
                .usernameParameter( "username" )
                .passwordParameter( "password" )
                .and()

                .logout().invalidateHttpSession(true).deleteCookies("JSESSIONID").permitAll().and()

                .authorizeRequests()
                .antMatchers("*/**").permitAll()
                .antMatchers("/static/**").permitAll()
                .antMatchers("/profile").hasRole(MyAuthenticationProvider.REGISTERED_USER_AUTH)

                .and().authenticationProvider(getAuthProvider());

I'm new to Spring Security so maybe I'm missing something... can anyone help?


Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)