Summary

5934 added support for AnonymousAuthenticationTokens in Reactive applications. It seems one thing was missed out - ExceptionTranslationWebFilter is missing the same logic as ExceptionTranslationFilter

Actual Behavior

All access denied decisions are final and propagated to the caller.

Expected Behavior

Logic similar to the below is required in the reactive ExceptionTranslationWebFilter to translate AccessDeniedException into a redirection for authentication.

        else if (exception instanceof AccessDeniedException) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authenticationTrustResolver.isAnonymous(authentication) || authenticationTrustResolver.isRememberMe(authentication)) {
                logger.debug(
                        "Access is denied (user is " + (authenticationTrustResolver.isAnonymous(authentication) ? "anonymous" : "not fully authenticated") + "); redirecting to authentication entry point",
                        exception);

                sendStartAuthentication(
                        request,
                        response,
                        chain,
                        new InsufficientAuthenticationException(
                            messages.getMessage(
                                "ExceptionTranslationFilter.insufficientAuthentication",
                                "Full authentication is required to access this resource")));
            }

Configuration

N/A

Version

5.2

Sample

Comment From: khong07

Hi @eleftherias , I saw that you was on this bug. When it's planned to fix?

I have same problem here.

Comment From: eleftherias

Hi @khong07, this may be fixed via #9508. Could you give the latest 5.6.0-SNAPSHOT a try and see if you still have the issue?