Oct 21st, 2008, 10:00 PM
A second AuthenticationEntryPoint?
Here's the setup that I want to properly configure:
Users enter the website through a basic login page. But if they try to access a page with special restrictions, and their role isn't high enough, they have to go through a different form and enter a PIN code before being allowed to proceed.
I was browsing through the code and I was thinking of introducing another AuthenticationEntryPoint, and the necessary custom AuthenticationProvider / token to handle the PIN form submission, but I do not know where exactly to plug in these things. Any suggestions? Has anyone ever encountered a similar requirement?
Thanks in advance. I hope this is possible.
Dec 18th, 2008, 02:29 PM
I am kinda guessing here, and this probably isn't the best way to do it depending on your situation, but it is possibly *a* way to do it.
You could have another servlet with another security setup and a separate login. When the user clicks on the URL that is controlled by that servlet then they have to login there to. Depending on how seamless you want it to be in either your code/app setup and/or for the user this might work. I would think from the user's perspective this might work seamlessly - after all, they are logging in to two different apps right? So they would still remain logged in to the previous app - although they may time out on one or the other app depending on your setup.
Then there is the RunAsManager ( http://static.springframework.org/sp...AsManager.html ) which might be more elegant and simpler?
Just some thoughts that might help get you started (maybe in the wrong direction though). I haven't tried this yet, although I will probably have to get around to it in the future.
Be sure to come back and let us know how you solved your problem.
Dec 18th, 2008, 02:56 PM
I would follow the model that the AuthenticatedVoter uses. There you can specify that an resource requires full authentication and that remember-me is insufficient, for example. If a user isn't fully authenticated, it throws an InsufficientAuthenticationException which will cause the entry point to be invoked.
Use a custom entry point and a custom voter (which responds to a specific attribute - e.g. "PIN_REQUIRED"). Then throw a subclass of InsufficientAuthenticationException (say, PinRequiredException) and handle it appropriately in your entry point.
RunAsManager has a completely different purpose and is not relevant here. It doesn't have anything to do with authenticating the end user.