Per request user authentication

[eliot]

Hi,

I'm working on an application with the security requirements outlined below:

- User logs on
- For every request thereafter ensure user is logged on
- If user is logged on, allow user access to requested resource
- Else if user is not logged on, show login page, then after successful login, show them the previously requested resource.

Is there a Spring best practice way of doing this, or a way you've used you've found successful?
Regards,
Eliot

[huijzer]

You could have a look at Acegi Security, a security framework that "provides comprehensive security services for The Spring Framework".

http://acegisecurity.sourceforge.net/

Greetz,
Arjan Huijzer

[eliot]

Yes, I'm very interested in trying Acegi out. I am working on an XP project at the moment and would like an interim quick-to-implement solution for this basic authentication requirement before tackling Acegi, which I appreciate you can take just the parts you need from, but there's still a learning curve there that me and my team mates could do with avoiding until a later iteration.

Any other solution suggestions will be greatly appreciated.

Eliot

[huijzer]

If you need a quick solution, why not use standard JSP/Servlet security. This is easy to implement and you do not need to install extra software.

Just add some lines to your web.xml:

Code:

   <security-constraint>
      <web-resource-collection>
        <web-resource-name>MyApp</web-resource-name>
        <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>user</role-name>
      </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>MyApp</realm-name>
    </login-config>

    <security-role>
        <role-name>user</role-name>
    </security-role>

Next you need to define the users. In Tomcat you add them by editing the tomcat-users.xml file.

Code:

    <tomcat-users>
      <user name="tomcat" password="tomcat" roles="tomcat" />
      <user name="role1" password="tomcat" roles="role1" />
      <user name="both" password="tomcat" roles="tomcat,role1" />

       <!-- User of MyApp -->
      <user name="johndoe" password="johndoe" roles= "user" />    

    </tomcat-users>

Greetz,
Arjan

[irbouho]

take a look at this http://forum.springframework.org/showthread.php?t=11444.
HTH

[rharing]

or look here , with the added benefit that you can define easily which pages you would like to protect.

Gr
Ronald

[Ben Alex]

Yes, I'm very interested in trying Acegi out. I am working on an XP project at the moment and would like an interim quick-to-implement solution for this basic authentication requirement before tackling Acegi, which I appreciate you can take just the parts you need from, but there's still a learning curve there that me and my team mates could do with avoiding until a later iteration.

Just a little encouragement: Acegi Security can handle web request filtering with great ease, and as you don't need method security interception or access control list domain object instance security, you'd be using the simplest parts and it should only take a few hours to get up to speed on those parts. The Contacts sample application is suitable, as you just cut 'n' copy the XML to your own project (minus all the ACL and method security related beans, which are well-commented).

As someone else said, standard container security is probably best if you really need to get up to speed immediately, as web filtering is all it can actually handle. Having said that, before committing to it for a long-term direction, you might like to check the related FAQ entry at http://acegisecurity.sourceforge.net.