Jul 29th, 2008, 05:28 PM
Spring Security for Portlet with Step Up authentication
I'm trying to implement a second tier of authentication using Spring Security for a Spring MVC Portlet. It's for a few sensitive portlets (eg. HR information) which we'd like to add an additional layer of authentication within the rendered portal fragment.
As I understand it, for Spring Security for Portals the portal is fully responsible for the authentication. However, what we'd like to do is along the following use case:
1. user has not been authenticated
2. user opens portal page
3. system displays login form instead (mechanism: username+password entry)
4. user logs in
5. system displays normal portal screen welcome page contain several portlets. One of these portlets is a HR portlet in normal mode displaying non-sensitive information.
6. user maximises HR portlet (which contains sensitive information)
7. system displays 2nd layer login form (mechanism: supply the numbers in your zipcode/postcode)
8. user answers the question
9. user proceed
As I say, steps 1-5 wouldn't be under acegi/spring security control. 6-9 are. does anyone know if this is possible to implement with spring security, bearing in mind that all the documentation I've read says that Spring security relies on portal to handle authentication.
... hope that makes sense! Thanks.
Aug 4th, 2008, 03:51 PM
That is an interesting use case, and not one that I've seen addressed before.
Do you envision this secondary authentication being done within the portlet itself, or do you want to go outside the portal to a different webapp?
In the portlet side of Spring Security, we don't have the same infrastructure in place as on the servlet side because, as you observe, we defer all of the authentication process to the portal. Specifically, we don't have things like the ExceptionTranslationFilter that would normally be used as the entry point for primary and/or secondary authentication requirements.
I suppose you would need some kind of Interceptor around your portlets that could could catch the extra security need on the way in, or catch an exception from the Controller on the way out.
You could also look at handling it with a HandlerExceptionResolver, although that mechanism may not be powerful enough for what you want to do.
Hope that helps!
Tags for this Thread