You could try out the PreAuthenticatedAuthenticationProvider:
security spring configuration:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:component-scan base-package="com.test"/>
<security:http use-expressions="true" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
<security:intercept-url pattern="/**" access="hasRole('ROLE_AUTHED')" />
<security:custom-filter position="PRE_AUTH_FILTER " ref="myAuthFilter" />
</security:http>
<security:authentication-manager alias="preauthManager">
<security:authentication-provider ref='preauthAuthProvider'/>
</security:authentication-manager>
<bean id="preAuthenticatedProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService" ref="myUserDetailsService"/>
</bean>
<bean id="myAuthFilter" class="com.test.MyAuthFilter">
<property name="authenticationManager" ref="preauthManager"/>
</bean>
</beans>
I use the following auth filter to extract information about the user who has already been authenticated:
Code:
public class MyAuthFilter extends AbstractPreAuthenticatedProcessingFilter {
@Override
protected Object getPreAuthenticatedCredentials(HttpServletRequest req) {
return "N/A";
}
@Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest req) {
UserAssertion ua = (UserAssertion)req.getSession().getAttribute(Constants.SESSION_USER_ASSERTION);
if (ua == null) return null; // Not authenticated.
if (ua.isAuthenticated() && ua.getAssuranceLevel() == 3) {
return ua.getSubject();
} else {
return null; // Not authenticated.
}
}
}
You could use the getPreAuthenticatedCredentials method for retrieving the roles etc. from DB.
I do however not use roles so my user details service to create the user details looks like this:
Code:
@Service("myUserDetailsService")
public class MyUserDetailsServiceImpl implements AuthenticationUserDetailsService {
@Override
public UserDetails loadUserDetails(Authentication arg0) throws UsernameNotFoundException {
String correctlyFormatedUsername = (String)arg0.getPrincipal();
// The username always exists, since NemLogin took care of this.
return new MyUserDetails(correctlyFormatedUsername);
}
}
Junior Member
Need help on Spring security authorization without authentication
Originally Posted by shravanthi
Posting Permissions
Reply With Quote