Pre-authenticate with Cookie

[jscott@igdtech.com]

Hello All,

I've reviewed many of the forum posts on using the pre-authentication, but I just can't seem to wrap my head around it. I've read the security documentation and checked out the pre-auth samples. I still can't seem to fit it all together.

I'm using Dacs to do single sign on authentication. I can get the login form to submit just fine going through a servlet. The servlet extracts the Dacs cookie information and then uses a submit to post to the j_spring_security_check.

I really just want to just bypass the form login and use a pre-auth filter that has access to HttpServletRequest (Required to authenticate Dacs cookie). Any thoughts how I could achieve this. I'm putting my current setup below. What do I need bypass the form based authentication.

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

   <!-- Put '@Secured( {"ROLE_SUPER"} )' over service methods ~ Not working causes error -->
    <!--<global-method-security secured-annotations="enabled" /> -->

    <http>
        <intercept-url pattern='/dacsLogin.htm' filters='none'/>
        <intercept-url pattern='/system/**' access='ROLE_SUPER' />
        <intercept-url pattern='/admin/**' access='ROLE_ADMIN' />
        <intercept-url pattern='/**' access='ROLE_BASIC' />
        <form-login login-page='/dacsLogin.htm' default-target-url='/index.jsp' always-use-default-target='false' />
    </http>

    <authentication-provider user-service-ref='userDetailsService'/>

    <beans:bean id="userDetailsService" class="com.cisco.btd.security.BtdUserDetailsService">
        <beans:property name="userService" ref="userService"/>
    </beans:bean>

</beans:beans>

The above dacsLogin.htm is a servlet that extracts the Dacs data using an httpServletRequest object. It then using an http post to submit. I'd really like to just bypass that.

The userDetailsService is working great. It ties to our user preference database to determine what the users can see, etc.

Thanks in advance for pointers.

Jared

[jrod79]

Hello,

Made some changes to move in the right direction.

Can you check this out and let me know what you think? As mentioned above, I'm trying to extract my details from a cookie and then use a custom UserDetailsService to compare it to the database. The UserDetailsService works perfectly as I've tested it using form based authentication so all I need to do at this stage is put the cookie extraction piece in between the entry and authentication.

My custom filter is being hit, but I'm not sure what to return. I'm trying to return the username, but it's not working the way I'd hoped.

security-config.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:sec="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

    <bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
        <sec:filter-chain-map path-type="ant">
            <sec:filter-chain pattern="/**" filters="sif,preAuthenticatedProcessingFilter,logoutFilter,fsi"/>
        </sec:filter-chain-map>
    </bean>

    <!-- Filter # 1 -->
    <bean id="sif" class="org.springframework.security.context.HttpSessionContextIntegrationFilter"/>

    <sec:authentication-manager alias="authenticationManager" />

    <sec:authentication-provider user-service-ref='userDetailsService'/>

    <bean id="userDetailsService" class="com.cisco.btd.security.BtdUserDetailsService">
        <property name="userService" ref="userService"/>
    </bean>

    <bean id="preAuthenticatedProcessingFilter" class="com.cisco.btd.security.PreAuthenticatedProcessingFilter">
        <sec:custom-filter position="PRE_AUTH_FILTER" />
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
        <sec:custom-authentication-provider />
        <property name="preAuthenticatedUserDetailsService">
            <bean id="userDetailsServiceWrapper" class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
                <property name="userDetailsService" ref="userDetailsService" />
            </bean>
        </property>
    </bean>
    
    <!-- Handle logout -->
    <bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
        <constructor-arg value="/"/>
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>
            </list>
        </constructor-arg>
    </bean>

    <bean id="httpRequestAccessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
        <property name="allowIfAllAbstainDecisions" value="false"/>
        <property name="decisionVoters">
            <list>
                <ref bean="roleVoter"/>
            </list>
        </property>
    </bean>

    <bean id="fsi" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
        <property name="objectDefinitionSource">
            <sec:filter-invocation-definition-source>
                <sec:intercept-url pattern='/system/**' access='ROLE_SUPER' />
                <sec:intercept-url pattern='/admin/**' access='ROLE_ADMIN' />
                <sec:intercept-url pattern='/**' access='ROLE_BASIC' />
            </sec:filter-invocation-definition-source>
        </property>
    </bean>

    <bean id="roleVoter" class="org.springframework.security.vote.RoleVoter"/>

    <bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter">
        <property name="wrapperClass" value="org.springframework.security.wrapper.SecurityContextHolderAwareRequestWrapper"/>
    </bean>

</beans>

and my custom filter:

Code:

import javax.servlet.http.HttpServletRequest;
import org.springframework.security.ui.preauth.AbstractPreAuthenticatedProcessingFilter;
public class PreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter {

    @Override
    protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
        //WHAT OBJECT DO I RETURN HERE? AHHHHH!!!!
        String userName = "jarescot";
        return userName;
    }

    @Override
    protected Object getPreAuthenticatedCredentials(HttpServletRequest arg0) {
        return null;
    }

    public int getOrder() {
        return org.springframework.security.ui.FilterChainOrder.PRE_AUTH_FILTER;
    }

}

and finally my custom user authentication class:

Code:

public class BtdUserDetailsService implements UserDetailsService {
    private UserService userService;

    @Override
    public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException, DataAccessException {

        //find user - do the regular stuff.
        checkDefaultRoles();

        User user = userService.findByUserId(userName);

        user = checkUser(user, userName);

        return new BtdUserDetails(user);
    }

Any thoughts on what I'm missing or doing wrong? Please help...

Thanks,

Jared