Is it possible to bypass the form login filter if the pre-authentication filter successfully extracted user information from the request? The form login filter would be used as a fallback in case the incoming request was not pre-authenticated.
I am working on a spring mvc application that has a standard login page with two custom filters and an authentication provider defined as follows:
<security:http>
<security:custom-filter position="FORM_LOGIN_FILTER" ref="loginFilter"/>
<security:custom-filter after="FORM_LOGIN_FILTER" ref="postAuthFilter"/>
</security:http>
<bean id="loginAuthProvider" class="com.auth.LoginAuthProvider" />
<security:authentication-manager alias="authManager">
<security:authentication-provider ref="loginAuthProvider" />
</security:authentication-manager>
I added a third filter and another provider to handle pre-authenticated requests:
<bean id="preAuthFilter" class="com.auth.PreAuthFilter" >
<property name="authenticationManager" ref="authManager" />
</bean>
<security:http>
<security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter"/>
<security:custom-filter position="FORM_LOGIN_FILTER" ref="loginFilter"/>
<security:custom-filter after="FORM_LOGIN_FILTER" ref="postAuthFilter"/>
</security:http>
<bean id="preAuthProvider" class="com.auth.PreAuthProvider" />
<bean id="loginAuthProvider" class="com.auth.LoginAuthProvider" />
<security:authentication-manager alias="authManager">
<security:authentication-provider ref="preAuthProvider" />
<security:authentication-provider ref="loginAuthProvider" />
</security:authentication-manager>
However, the login form filter is invoked even though the pre-authentication provider explicitly set the authenticated flag to true: auth.setAuthenticated(true);