Examples of org.springframework.security.core.Authentication

• org.springframework.security.core.Authentication
  Represents the token for an authentication request or for an authenticated principal once the request has been processed by the {@link AuthenticationManager#authenticate(Authentication)} method.

  Once the request has been authenticated, the Authentication will usually be stored in a thread-local SecurityContext managed by the {@link SecurityContextHolder} by the authentication mechanism which isbeing used. An explicit authentication can be achieved, without using one of Spring Security's authentication mechanisms, by creating an Authentication instance and using the code:

   SecurityContextHolder.getContext().setAuthentication(anAuthentication); 

  Note that unless the Authentication has the authenticated property set to true, it will still be authenticated by any security interceptor (for method or web invocations) which encounters it.

  In most cases, the framework transparently takes care of managing the security context and authentication objects for you. @author Ben Alex

     * @return the result of the authorization decision
     * @throws IOException
     */
    public boolean authorizeUsingUrlCheck() throws IOException {
        String contextPath = ((HttpServletRequest) getRequest()).getContextPath();
        Authentication currentUser = SecurityContextHolder.getContext().getAuthentication();
        return getPrivilegeEvaluator().isAllowed(contextPath, getUrl(), getMethod(), currentUser);
    }

    }

    /*------------- Private helper methods  -----------------*/

    private Collection<? extends GrantedAuthority> getPrincipalAuthorities() {
        Authentication currentUser = SecurityContextHolder.getContext().getAuthentication();
        if (null == currentUser) {
            return Collections.emptyList();
        }
        return currentUser.getAuthorities();
    }

@Component
public class HelloMessageService implements MessageService {

  @PreAuthorize("authenticated")
  public String getMessage() {
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    return "Hello " + authentication;
  }

     * @throws IOException if thrown by HttpURLConnection methods
     */
    protected void prepareConnection(HttpURLConnection con, int contentLength) throws IOException {
        super.prepareConnection(con, contentLength);

        Authentication auth = SecurityContextHolder.getContext().getAuthentication();

        if ((auth != null) && (auth.getName() != null) && (auth.getCredentials() != null) && !trustResolver.isAnonymous(auth)) {
            String base64 = auth.getName() + ":" + auth.getCredentials().toString();
            con.setRequestProperty("Authorization", "Basic " + new String(Base64.encode(base64.getBytes())));

            if (logger.isDebugEnabled()) {
                logger.debug("HttpInvocation now presenting via BASIC authentication SecurityContextHolder-derived: "
                    + auth.toString());
            }
        } else {
            if (logger.isDebugEnabled()) {
                logger.debug("Unable to set BASIC authentication header as SecurityContext did not provide "
                        + "valid Authentication: " + auth);

     *
     * @param methodInvocation the method to invoke
     */
    public ContextPropagatingRemoteInvocation(MethodInvocation methodInvocation) {
        super(methodInvocation);
        Authentication currentUser = SecurityContextHolder.getContext().getAuthentication();

        if (currentUser != null) {
            principal = currentUser.getName();
            Object userCredentials = currentUser.getCredentials();
            credentials = userCredentials == null ? null : userCredentials.toString();
        } else {
            principal = credentials = null;
        }

     */
    public Object invoke(Object targetObject)
            throws NoSuchMethodException, IllegalAccessException, InvocationTargetException {

        if (principal != null) {
            Authentication request = createAuthenticationRequest(principal, credentials);
            request.setAuthenticated(false);
            SecurityContextHolder.getContext().setAuthentication(request);

            if (logger.isDebugEnabled()) {
                logger.debug("Set SecurityContextHolder to contain: " + request);
            }

            || (SecurityContextHolder.getContext().getAuthentication() == null)
            || !SecurityContextHolder.getContext().getAuthentication().isAuthenticated()) {
            throw new AccessDeniedException("Authenticated principal required to operate with ACLs");
        }

        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

        // Check if authorized by virtue of ACL ownership
        Sid currentUser = new PrincipalSid(authentication);

        if (currentUser.equals(acl.getOwner())
                && ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) {
            return;
        }

        // Not authorized by ACL ownership; try via adminstrative permissions
        GrantedAuthority requiredAuthority;

        if (changeType == CHANGE_AUDITING) {
            requiredAuthority = this.gaModifyAuditing;
        } else if (changeType == CHANGE_GENERAL) {
            requiredAuthority = this.gaGeneralChanges;
        } else if (changeType == CHANGE_OWNERSHIP) {
            requiredAuthority = this.gaTakeOwnership;
        } else {
            throw new IllegalArgumentException("Unknown change type");
        }

        // Iterate this principal's authorities to determine right
        if (authentication.getAuthorities().contains(requiredAuthority)) {
            return;
        }

        // Try to get permission via ACEs within the ACL
        List<Sid> sids = sidRetrievalStrategy.getSids(authentication);

        if (retrieveObjectIdentityPrimaryKey(objectIdentity) != null) {
            throw new AlreadyExistsException("Object identity '" + objectIdentity + "' already exists");
        }

        // Need to retrieve the current principal, in order to know who "owns" this ACL (can be changed later on)
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        PrincipalSid sid = new PrincipalSid(auth);

        // Create the acl_object_identity row
        createObjectIdentity(objectIdentity, sid);

        }

        request.setAttribute(FILTER_APPLIED, Boolean.TRUE);

        if (!securityContextRepository.containsContext(request)) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

            if (authentication != null && !trustResolver.isAnonymous(authentication)) {
             // The user has been authenticated during the current request, so call the session strategy
                try {
                    sessionAuthenticationStrategy.onAuthentication(authentication, request, response);

    public void testAuthenticateCancel() {
        OpenIDAuthenticationProvider provider = new OpenIDAuthenticationProvider();
        provider.setUserDetailsService(new MockUserDetailsService());
        provider.setAuthoritiesMapper(new NullAuthoritiesMapper());

        Authentication preAuth = new OpenIDAuthenticationToken(OpenIDAuthenticationStatus.CANCELLED, USERNAME, "" ,null);

        assertFalse(preAuth.isAuthenticated());

        try {
            provider.authenticate(preAuth);
            fail("Should throw an AuthenticationException");
        } catch (AuthenticationCancelledException expected) {