6

I am new to Spring and my requirement is that I do not want to authenticate the user with username and password. The user is authenticate is some other application and my app get the request with folloing details:

  1. User name
  2. Roles

I just want use Spring Security to secure the pages according to the roles in the request. I've given a thought about writing UserDetailService, but that only add request-data, Spring still ask for authentication information. Then I thought about writing something like the following:

public class UserLogin { /* @Resource(name = "userDetailsService") private UserDetailsService userDetailsService; */ @Resource(name = "authenticationManager") private AuthenticationManager authenticationManager; public boolean login(UserEntity user) { //UserDetails ud = userDetailsService.loadUserByUsername(username); Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); for (String role : user.getAuthorities()) { authorities.add(new GrantedAuthorityImpl(role)); } UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword(), authorities); try { Authentication auth = authenticationManager.authenticate(token); SecurityContext securityContext = new SecurityContextImpl(); // Places in ThredLocal for future retrieval SecurityContextHolder.setContext(securityContext); SecurityContextHolder.getContext().setAuthentication(auth); } catch (AuthenticationException e) { return false; } return true; } }

Am I going in the right direction. If so, how to configure the whole thing .. in spring-xml .

Improve this question

1 Answer 1

Reset to default
8

You're in what's called a Pre-Authentication scenario, where you configure Spring Security to only Authorize access, not Authenticate access. See http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html. Here is a full configuration, where you need to implement AbstractPreAuthenticatedProcessingFilter to grep your authentication scheme's UserPrincipal, and the custom UserDetailsService you mention above.

<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns:security="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <security:global-method-security secured-annotations="enabled" /> <beans:bean id="preAuthenticatedProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" /> <security:http auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint"> <security:custom-filter position="PRE_AUTH_FILTER" ref="myCustomPreAuthFilter" /> </security:http> <beans:bean id="myCustomPreAuthFilter" class="com.mypackage.MyCustomPreAuthFilter"> <beans:property name="authenticationManager" ref="authenticationManager" /> </beans:bean> <security:authentication-manager alias="authenticationManager"> <security:authentication-provider ref="preauthAuthProvider" /> </security:authentication-manager> <beans:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider"> <beans:property name="preAuthenticatedUserDetailsService"> <beans:bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"> <beans:property name="userDetailsService" ref="myCustomUserDetailsService"/> </beans:bean> </beans:property> </beans:bean>

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.