Spring Security WebAuthenticationDetails does not implement GrantedAuthoritiesContainer when using PreAuthenticatedGrantedAuthoritiesUserDetailsService

I am using AbstractPreAuthenticatedProcessingFilter to create and populate an instance of PreAuthenticatedAuthenticationToken based on a JWT in a request header.

My spring configuration uses: PreAuthenticatedGrantedAuthoritiesUserDetailsService

The issue is in that Details Service

public final UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken token) throws AuthenticationException {
        Assert.notNull(token.getDetails(), "token.getDetails() cannot be null");
        Assert.isInstanceOf(GrantedAuthoritiesContainer.class, token.getDetails());
        Collection<? extends GrantedAuthority> authorities = ((GrantedAuthoritiesContainer) token.getDetails())
                .getGrantedAuthorities();
        return createUserDetails(token, authorities);
    }

So I am passing to it a fully instantiated instance of PreAuthenticatedAuthenticationToken which includes having set a list of authorities.

The problem is that Assert.isInstanceOf(GrantedAuthoritiesContainer.class, token.getDetails()); always fails. Because Details is an instance of WebAuthenticationDetails which does not implement GrantedAuthoritiesContainer.

Looking though the stack where the Details is created I dont see a way that I could set the granted authorities as all I have to go on is the request.

So I created my own implementation of the PreAuthenticatedGrantedAuthoritiesUserDetailsService (loadUserDetails is final so I couldnt override) And in this I changed the loadUserDetails to:

 public final UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken token) throws AuthenticationException {
        Assert.notNull(token.getAuthorities(), "token.getAuthorities() cannot be null");
        Collection<? extends GrantedAuthority> authorities = token.getAuthorities();
        return createUserDetails(token, authorities);
    }

So the question is... is there some over DetailsSource I should be using? Or is this a bug and the authorities shouldnt be coming from the details and my code the the correct implementation?

Comment From: jzheaux

Thanks for getting in touch! It feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that I and other people can find it) or add more detail if you feel this is a genuine bug.