Generating Tokens for an android Client - a few questions in general

[Asuka]

Hi spring community,


i´m developing an android app which gets some data from our social network platform. the client gets the information via jersey spring. now i would like to realize the following thing. when the user submits his username and password, he should get a token, that is valid for a specific time. so the user does not have to login again for this time.

our server application is a jee application which uses spring security for authentication. the configuration looks like this:

Code:

	<security:http auto-config='true' access-denied-page="/accessDenied.html" session-fixation-protection="migrateSession">
   		<security:intercept-url pattern="/testHTML.html*" filters='none' />
   	<!-- ... list of all pages, which are accessible before login .. -->
		<security:form-login login-page="/login.html"  
                authentication-failure-url="/login_error.html"
                default-target-url="/pages/start/start.html" 
                always-use-default-target="true"/>
       
        <security:logout logout-success-url="/login.html" invalidate-session="true"/>
        <security:concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="false"/>
        
    </security:http>
    
    <security:authentication-manager alias="authenticationManager"/>
    
   	<security:authentication-provider user-service-ref="userDetailsServiceImpl">
        <security:password-encoder hash="md5"/>

	</security:authentication-provider>

	<security:global-method-security
		secured-annotations="enabled">
		<!--
			AspectJ pointcut expression that locates our "post" method and
			applies security that way <protect-pointcut expression="execution(*
			bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
		-->
		<!--
			security:protect-pointcut expression="execution(*
			de.lyth.taunusConnection.handler.subProfileSearchSmallHandler.searchMember())"
			access="ROLE_A" /
		-->
	</security:global-method-security>

	<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
		<property name="allowIfAllAbstainDecisions" value="false" />
		<property name="decisionVoters">
			<list>
				<bean class="org.springframework.security.vote.RoleVoter" />
				<bean class="org.springframework.security.vote.AuthenticatedVoter" />
			</list>
		</property>
	</bean>

	<bean id="resourceSecurityInterceptor"
		class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="accessDecisionManager" ref="accessDecisionManager" />
		<property name="objectDefinitionSource"
			ref="secureResourceFilterInvocationDefinitionSource" />
		<property name="observeOncePerRequest" value="false" />
		<security:custom-filter after="LAST" />
	</bean>

	<bean id="secureResourceFilterInvocationDefinitionSource"
		class="de.lyth.generic.util.SecureResourceFilterInvocationDefinitionSource" />

So, at the moment i really don´t know how to realize this. How do I have to configure the applicationcontext.xml. What do I have to use to generate tokens? I´m sorry about these questions, but I don´t know that much about spring security. Advices or may an example/tutorial would be appreciated.

Thanks and greetings
Asuka

[stoicflame]

Hi.

I'm not sure what to tell you beyond what's described in the user guide:

http://static.springsource.org/sprin...userguide.html

If you've got suggestions for how to improve the docs, we'd love to hear them. Of course, you're also welcome to inqure about commercial support if you'd like some help with your specific situation.

[gavind]

Hi,

I'm building a mobile API that needs to hand out tokens, after initial login.
Were you able to come up with a solution using OAUTH?

I'm using acegi to provide authorization and authentication, so need to confirm if they can be used in tandem with OAuth.

Thanks,
Gavin