Jan 9th, 2013, 02:58 AM
authentication using time based URL with user data inside an encrypted token on URL
Hello, I am new to spring in general, so also completely new to spring security
I have the following scenario to implement:
1. user registers in external application, and as a result he receives an email with a URL to my application where I need to authenticate him and if this succeeds then my app returns a file to the user and the flow continues (user gets a few files), and later I also save some of his information in my database.
2. The authentication is done by extracting an encrypted token on the URL as a parameter, decrypting it and in the decrypted data I have the user info and an expiration date. I need to check that the date hasn't expired and if so I allow access and return the file. If decryption failed or time expired then I want to re-direct to some error page. I don't need to compare the data with my persistent data.
3. There's no login page in my application, all it does it return some files and save the data.
4. The information I get for the user which I save is mostly metadata, there's no username or password (closest is some user id), and also no roles, and I don't need to have any logic regarding roles in my app.
Can you please guide me on which classes to use? I've been reading a lot, but I'm not sure what best fits me. Do I need to extend AbstractPreAuthenticatedProcessingFilter to grab the token from the URL and decrypt it or is this not considered pre auth case since the user was not really authenticated in my app. I'm also not sure about the authentication provider, and if I need a userService implementation which currently sounds like I don't? I also don't know exactly how my configuration will look since I don't want a login form, and I think I need a success handler (I guess here I will re-direct to a servlet which will return my file?)
Last edited by michalv82; Jan 9th, 2013 at 03:05 AM.
Tags for this Thread