Description
Expected Behavior
Presently in version 6.2.0-M3, there is no possibility to customize the authenticationConverter that is provided by BasicAuthenticationFilter, which means post-processing of the filter does not allow one to control the authentication conversion. Customizing the authentication converter allows one to decide where, when and how the filter should actually process a given request, i.e.:
// A custom implementation of authenticationConverter can return null here
var authRequest = authenticationConverter.convert(request);
if (authRequest == null) {
this.logger.trace("Did not process authentication request");
chain.doFilter(request, response);
return;
}The proposal in summary is,
- Provide a setter for authenticationConverter in BasicAuthenticationFilter
- Similar to
OidcLogoutAuthenticationConverter, allow one to customize the request matching functionality.
Current Behavior
Not possible to customize the authentication conversion process for this filter without reflection or a brand new filter. The main driver for this is to allow the filter match on certain requests, letting SS to handle those, while ignoring other (authenticated) requests and letting the app handle those.
Context
If HttpSecurity is configured for basic-authentication, it is not possible (or at least seems this way) to decide when and for which requests the basic auth filter should execute. Compared with OidcLogoutAuthenticationConverter one is given a customizable request matcher. In contrast, the BasicAuthenticationFilter, matches on everything and anything that is able to produce the right kind of credentials. It seems impossible for the filter to back away, when a request contains credentials, allowing the app to handle that request. Perhaps that can be done using multiple filter chains, web customizers, etc all of which seem somewhat unnecessarily complex compared to the option here.
As ever, thank you!