Spring Security: Set GrantedAuthorities

spring security authentication
33,243

you can do it with following code:

Collection<SimpleGrantedAuthority> oldAuthorities = (Collection<SimpleGrantedAuthority>)SecurityContextHolder.getContext().getAuthentication().getAuthorities();
SimpleGrantedAuthority authority = new SimpleGrantedAuthority("ROLE_ANOTHER");
List<SimpleGrantedAuthority> updatedAuthorities = new ArrayList<SimpleGrantedAuthority>();
updatedAuthorities.add(authority);
updatedAuthorities.addAll(oldAuthorities);

SecurityContextHolder.getContext().setAuthentication(
        new UsernamePasswordAuthenticationToken(
                SecurityContextHolder.getContext().getAuthentication().getPrincipal(),
                SecurityContextHolder.getContext().getAuthentication().getCredentials(),
                updatedAuthorities)
);
Share:
33,243
mpmp
Author by

mpmp

Updated on July 04, 2020

Comments

  • mpmp
    mpmp almost 4 years

    Is there anyway to set the List<GrantedAuthority> in the Authentication/UserDetailsImpl object? In my application, I have two layers of security, one for logging in (which uses my custom login authenticator, in the class I set the Authentication object using the UsernamePasswordAuthenticationToken) and one for a "challenge question" where the user is prompted to answer a particular question.

    What I want to do is add a GrantedAuthority to the current List<GrantedAuthority>, which was created during the login process, after the user answers the challenge question.

    Is this possible?

  • Slavak
    Slavak almost 11 years
    Can't add to the collection -> UnmodifiableCollection
  • Spanky Quigman
    Spanky Quigman almost 11 years
    @Slavak That would really depend on what implementation you're using for UserDetails. We don't use the User class from org.springframework.security.core.userdetails in our implementation. Obviously if you need to set or modify the authorities, using an implementation where the collection is immutable and there's no setAuthorities() method (which is not promised on the UserDetails interface) would mean that the answer to the question is just no. No, that is not possible. Otherwise, you have to provide your own implementation of UserDetails, which is what most flexible apps need to do anyway.
  • John B
    John B almost 6 years
    The thing that sucks, is that it only works if you know the Authentication type that exists in the security context, in this case a UsernamePasswordAuthenticationToken.
  • gerard
    gerard over 4 years
    This only changes the authorities in the context, but not in the context's principal, if you try to get the authorities via SecurityContextHolder. getContext (). getAuthentication (). getPrincipal (). getAuthorities (), there won't be your updatedAuthorities, you have to set those into a new principal as well an then use it in the constructor of the authentication you're setting

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to automatically login as a user using Spring Security without knowing their password?
Spring security only for authorization. External authentication
Spring security authentication: get username without SPRING_SECURITY_LAST_USERNAME
Should I use OAuth (or what else) for the backend of a mobile app? - There is only *one* "third-party" application in such cases
php not redirecting and logging in
spring security get user id from DB
Step by step login example using spring security 3.0 with hdbc
Create Account, Forgot Password and Change Password
Configure Spring Security without XML in Spring 4
ASP.Net Authentication using <credentials> in web.config