Spring Security access to a request, without pre-authentication, from remote access

**phoenix2** · Oct 11th, 2012, 06:46 AM

I wrote here because I cannot find a clear answer to my problem:

My project is using Spring MVC and Spring Security. I well installed both for a web application (of course using Java). I can access with post and get method, but only after the user has been connected via the usual form of Spring Security.

From now, the user do a request on an address like this:

Code:

../../get.request?request=getListCommand

where get.request is a mapping from Spring MVC. This access is enable only after the user has been authenticated!

What I need to do: Add the possibility to access directly to this request, without has been authenticated previously, using an address like this one for example:

Code:

http://123.123.123.123:123/get.request?request=getListCommand&j_password=myPassword&j_username=myName

or

Code:

same thing with the post protocol and the params given (request=getListCommand, j_password=myPassword, j_username=myName)

Of course the authentication will have to be done previously the request is performed and the result sent back.

I searched on many website or directly on the Spring security website. They talk about filterchaining, own user name authentication, RMI; but I don't really found a full example doing what I presented above.

Thanks for anyone than can help me that way.

ps: I use all default or the most simple configuration for Spring security (no fengshui' style :-))

**Marten Deinum** · Oct 11th, 2012, 07:11 AM

Reconsider, that isn't something you want... Unless you want to have a security hole in your application (adding the username/password as request parameters is a security hole).

But alas if you don't care create your own filter (based of the UsernamePasswordAuthenticationFilter) and modify it to authenticate each incoming request (if needed).

**phoenix2** · Oct 11th, 2012, 10:14 AM

Originally Posted by Marten Deinum

Unless you want to have a security hole in your application (adding the username/password as request parameters is a security hole).

If I'm right (And I'm not an expert in security), at a time or another, the username/password has to be sent to the server, isn't it? Maybe that way is not the best, but due time/poor of knowledge about it and because for an intranet of few computer, we don't need better security.

Thanks for answer, setting me on a way to resolve the problem. What you said (UsernamePasswordAuthenticationFilter) is something I already read. If you have more sample/information about how to do that, it will good.

I add my actual xml files config

secu.xml

Code:

<http realm="NexCap Up"
            auto-config="true"
            access-denied-page="/www/jsp/authentication/accessDenied.jsp"
            create-session="always"
            disable-url-rewriting="true">          
                <port-mappings>
                    <port-mapping http="8084" https="8443"/>
                </port-mappings>        
                
                <intercept-url pattern="/www/jsp/authentication/connexion.jsp"                    
                    access='IS_AUTHENTICATED_ANONYMOUSLY' requires-channel="https"/>
                    
                <intercept-url pattern="/www/jsp/authentication/connexionFailed.jsp" 
                    access='IS_AUTHENTICATED_ANONYMOUSLY'  />

                <intercept-url pattern="/www/jsp/authentication/applicationExit.jsp" 
                    access='IS_AUTHENTICATED_ANONYMOUSLY'  /> 
                    
                 
              <intercept-url 
                    pattern="/get.Request" 
                    method="GET"
                    access="ROLE_REMOTE" />
                                        
                 <intercept-url 
                    pattern="/post.Request"  
                    method="POST"
                    access="ROLE_REMOTE" />
             
                <intercept-url pattern="/**" 
                    access="ROLE_REMOTE,ROLE_SCRIPT"  />
           <form-login 
                authentication-failure-url="/www/jsp/authentication/connexionFailed.jsp"
                login-page="/www/jsp/authentication/connexion.jsp"
                default-target-url="/www/jsp/index.jsp"
                always-use-default-target="true"/>
                
            <logout
                logout-success-url="/www/jsp/authentication/applicationExit.jsp"
                invalidate-session="true"/>
                   
            <session-management
                invalid-session-url="/www/jsp/authentication/invalidSession.jsp"
                session-authentication-error-url = "/www/jsp/authentication/authentificationError.jsp"
                session-fixation-protection="none">

                <!-- Sessions concurrentes -->
                <concurrency-control 
                    error-if-maximum-exceeded="false"
                    expired-url="/www/jsp/authentication/sessionExpired.jsp"
                    max-sessions="1" />

            </session-management>
                   
        </http>

web.xml

Code:

<security-constraint>
        <web-resource-collection>
            <web-resource-name>Security</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>


    <filter>
      <display-name>springSecurityFilterChain</display-name>
      <filter-name>springSecurityFilterChain</filter-name>
      <filter-class>
          org.springframework.web.filter.DelegatingFilterProxy
      </filter-class>
   </filter>
   
   <!-- Toutes  les requetes soumises au filtre -->
   <filter-mapping>
       <filter-name>springSecurityFilterChain</filter-name>
       <url-pattern>/*</url-pattern>
   </filter-mapping>
   
   <!--Fichier de configuration de contexte sécurité -->
   <context-param>
       <param-name>contextConfigLocation</param-name>
       <param-value>
           /WEB-INF/spring/secu-config.xml
       </param-value>
   </context-param>

THANKS

**Marten Deinum** · Oct 12th, 2012, 01:12 AM

The username/password has to be send to the server but If I hack your internet connection and sit in between (man in the middle) or stand behind you I can read your username/password... Also no matter if it is intranet or not you should always have security in mind and this in my book isn't secure and certainly wouldn't pass auditing.

Originally Posted by phoenix2

Thanks for answer, setting me on a way to resolve the problem. What you said (UsernamePasswordAuthenticationFilter) is something I already read. If you have more sample/information about how to do that, it will good.

I already gave you that information...

Originally Posted by mdeinum

But alas if you don't care create your own filter (based of the UsernamePasswordAuthenticationFilter) and modify it to authenticate each incoming request (if needed).

Which methods to override I leave to you as an excercise

(check the source code and read the javadocs shouldn't be that hard).

Thread: Spring Security access to a request, without pre-authentication, from remote access

Thread Tools

Display

Spring Security access to a request, without pre-authentication, from remote access

Tags for this Thread

Posting Permissions