Dual auth setup question...

[jdepaul]

I have a need to provide a dual authentication mechanism:

1) A custom authentication that will fetch specific tokens from the URL passed to it as input parms and it will then use vendor APIs to perform pass/fail auth. There is no concept of the user in this scheme - the authentication is based on the presence of valid decrypted token values using propriatary APIs. Once valid, the Request is Authenticated and should be forwarded on to the applicaiton for processing/rendering.
Question 1: Do I have to setup a bogus User/Principal like: ValidSystemUser to populate the Authentication object or is there some other way?

2) In addition to the primary authentication for remote users (as described in #1), our application Tech/Support teams will also need to access the same app and ideally we'd like to provide UserID/Password form challenge to them - since they will fail the first authentication scheme (i.e. users setup in the WebSphere console).
Question 2: How do I go about setting this up dual-authentication mechanisms? Does one of the examples demonstrate such setup?!

[jdepaul]

Anybody? Any guidance on this, plz

[Grzegorz Grzybek]

Hi

I've imlemented similar scenario - 1st phase - X.509 auth, 2nd - form login.

My Spring Security config looks like this:

Code:

   <http auto-config="false" >
      <intercept-url pattern="/**/*.css" filters="none" />
      ...
      <intercept-url pattern="/LogonForm.jsp" filters="none" />
      ...
      <intercept-url pattern="/**" access="ROLE_user" />

      <custom-filter position="FORM_LOGIN_FILTER" ref="myFilter" />
   </http>

myFilter implements UsernamePasswordAuthenticationFilter where you have access to HttpServletRequest and, on the basis of some request parameters, you may return valid Authentication object, containing any UserDetails - this can fulfil your first case.

In second case you can just invoke super.attemptAuthentication(request, response) to perform standard form login authentication - in case there are no request parameters for your vendor API authentication.

So you have to customize one filter returning standard (p. 2) or custom (p. 1) Authentication object.

regards
Grzegorz Grzybek

[jdepaul]

Code:

   <http auto-config="false" >
      <intercept-url pattern="/**/*.css" filters="none" />
      ...
      <intercept-url pattern="/LogonForm.jsp" filters="none" />
      ...
      <intercept-url pattern="/**" access="ROLE_user" />

      <custom-filter position="FORM_LOGIN_FILTER" ref="myFilter" />
   </http>

myFilter implements UsernamePasswordAuthenticationFilter where you have access to HttpServletRequest and, on the basis of some request parameters, you may return valid Authentication object, containing any UserDetails - this can fulfil your first case.

Thanks Grzegorz -

Good tips - that's exactly what I need. Could I ask you to share the Spring configuration for the "myFilter" bean?!

Thanks,
James

[jdepaul]

I wanted to pursue overriding the AuthenticationProcessingFilter as suggested by Grzegorz above - following that idea I've placed some break points in that class but in my testing I did not reach the attemptAuthentication(..) method until AFTER I've already been presented with the Login.jsp screen - something else has decided earlier that I don't have the proper credentials and thus a login.jsp needs to be presented... I obviously don't understand the flow fully, but given the configuration i have it wouldn't do me any good to override the AuthenticationPorcessingFilter because in that scheme EVERYONE would always get the Login.jsp screen first everytime - and that's not what I need... I need to scrutinize the HttpRequest for specific parms and if present, create Authentication object and avoid the Login challenge. I just don't think I'm intercepting it in the right place...

Help me plz.

My config is as follows:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">

<beans>
	<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
		<property name="filterInvocationDefinitionSource">
			<value><![CDATA[
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/login.jsp=#NONE#
				/loggedout.jsp=#NONE#
				/accessdenied.jsp=#NONE#
				/**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor]]></value>
		</property>
	</bean>

	<bean id="authenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="authenticationFailureUrl" value="/login.jsp?login_error=1"/>
		<property name="defaultTargetUrl" value="/statementlist.jsp"/>
		<property name="filterProcessesUrl" value="/j_spring_security_check"/>
	</bean>

	<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint">
			<bean class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
				<property name="loginFormUrl" value="/login.jsp"/>
				<property name="forceHttps" value="false"/>
			</bean>
		</property>
		<property name="accessDeniedHandler">
			<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
				<property name="errorPage" value="/accessdenied.jsp"/>
			</bean>
		</property>
	</bean>

	<bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="accessDecisionManager" ref="accessDecisionManager"/>
		<property name="objectDefinitionSource">
			<value><![CDATA[
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/**=ROLE_OVP_USER
			]]></value>
		</property>
	</bean>

	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref local="daoAuthenticationProvider"/>
			</list>
		</property>
	</bean>

	<bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
		<property name="userDetailsService" ref="inMemoryDetailsService"/>
	</bean>

	<!-- This DetailService implementation validates users against the local users.properties file  -->
	<bean id="inMemoryDetailsService" class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
		<property name="userProperties">
			<bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
				<property name="location" value="/WEB-INF/users.properties"/>
			</bean>
		</property>
	</bean>

	<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
		<property name="allowIfAllAbstainDecisions" value="false"/>
		<property name="decisionVoters">
			<list>
				<bean class="org.springframework.security.vote.RoleVoter"/>
			</list>
		</property>
	</bean>
	
	<bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter"/>
	
	<bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter"/>
	
</beans>

[Grzegorz Grzybek]

Hello

OK, I wasn't clear enough - even when I've read my own post the next day

AuthenticationProcessingFilter's logic contains one important check:

Code:

if (!requiresAuthentication(request, response)) {
   chain.doFilter(request, response);

   return;
}

It "requires authentication" only if the request URL endsWith() (default) "/j_spring_security_check" (or "acegi" in 1.0.x).

So you'll hit "attemptAuthentication" only for this particular (configurable of course) URL. Also by default it only accepts POST requests.

What is your URL in scenario 1)? Just ensure it will satisfy "requiresAuthentication()" method of the AuthenticationProcessingFilter.

And why you're getting login screen in the first place? The login screen is presented by "authenticationEntryPoint" configured in ExceptionTranslatorFilter in case there is authentication error OR there is anonymous authentication in SecurityContext.

And finally ExceptionTranslatorFilter is forced to use its authenticationEntryPoint because the deepest filter (FilterSecurityInterceptor) has thrown AccessDeniedException because the authentication object it had found didn't contain proper GrantedAuthorities (sorry for my English tenses ).

Just make sure, that in scenario 1):

• the first URL your users use "requiresAuthentication()" by UsernamePasswordAuthenticationFilter
• Your "special" Authentication object contains proper GrantedAuthorities

regards
Grzegorz Grzybek

[jdepaul]

Just make sure, that in scenario 1):

• the first URL your users use "requiresAuthentication()" by UsernamePasswordAuthenticationFilter
• Your "special" Authentication object contains proper GrantedAuthorities

k

Yep, that makes sense - thanks very much for the exhaustive explanation - it helps to understand it much better now.

P.S.
Grzegorz: dzięki, dzięki - ja też po Polsku mowię...