Spring Security 3 and Ajax type login

[CrazyGG]

Ok, I have this working as well. But I have one problem. I do not want to redirect after authentication. I just want to return to my client. This happens when there is an error. However, when successful, it insists on redirecting and so the response is a page. I just want to return my json object.

How do I prohibit the redirect?

change AbstractProcessingFilter by removing redirect code
and add your code to send json then use it as the customer-filter "AuthencicationProcessingFilter" you also need to implement few abstract method of AbstractProcessingFilter .
I said client redirect not means you really need to do a real redirect in client code, you can do anything, load another module for example
give me your Email ,I can send a eclipse project if you need

[alois.cochard]

change AbstractProcessingFilter by removing redirect code
and add your code to send json then use it as the customer-filter "AuthencicationProcessingFilter" you also need to implement few abstract method of AbstractProcessingFilter .
I said client redirect not means you really need to do a real redirect in client code, you can do anything, load another module for example
give me your Email ,I can send a eclipse project if you need

I implemented that exactly the same way, but I needed to create some more class because of the new structure of spring security 3.0 (not really difficult, but took time to understand spring security 3.0 changes).

Don't hesitate to ask for code too, I can post a sample project on my blog. But remember I made it for spring security 3.0.

Regards,

Alois Cochard
http://aloiscochard.blogspot.com
http://www.twitter.com/aloiscochard

[CrazyGG]

I implemented that exactly the same way, but I needed to create some more class because of the new structure of spring security 3.0 (not really difficult, but took time to understand spring security 3.0 changes).

Don't hesitate to ask for code too, I can post a sample project on my blog. But remember I made it for spring security 3.0.

Regards,

Alois Cochard
http://aloiscochard.blogspot.com
http://www.twitter.com/aloiscochard

as a Chinese,I cant visit both of blogspot and twitter !!

[alois.cochard]

I can compress and archive the content of my blog and send you by e-mail if wanted. Let me know using private message.

I heard of some software used to spoof ip-address and enable users from china to access blogspot, have you tried ?

See you,

Alois Cochard
http://aloiscochard.blogspot.com
http://www.twitter.com/aloiscochard

[jtheuer]

I think I basically want to archive something similar: An AJAX-JSON login which either returns 200 OK or 403 Forbidden. Following your Thread, I thunk I have to write my own filter, too? Or can I write a spring web-mvc method to handle authentication? (With @Requestmapping("/login")) ?

Cheers,

Jan

[magblogger]

I implemented that exactly the same way, but I needed to create some more class because of the new structure of spring security 3.0 (not really difficult, but took time to understand spring security 3.0 changes).

Don't hesitate to ask for code too, I can post a sample project on my blog. But remember I made it for spring security 3.0.

Please post or email the code for Spring Security 3.0...

[engmux]

I want to post my working configuration:

Code:

Spring-Security-Context.xml

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
	xmlns:security="http://www.springframework.org/schema/security"
	xmlns:tx="http://www.springframework.org/schema/tx"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">



<!-- Locale Resolver -->

	<bean id="localeResolver"
		class="org.springframework.web.servlet.i18n.SessionLocaleResolver">
		<property name="defaultLocale" value="it" />
	</bean>

	<!-- Spring Security 3 -->

	<security:global-method-security
		pre-post-annotations="enabled" secured-annotations="enabled" />
	<bean id="NSPUserDetailsService"
		class="it.xxx.newstudentportal.security.NSPUserDetailsService" />



	<security:authentication-manager alias="NSPauthenticationManager">
		<!-- -->
		<security:authentication-provider
			user-service-ref="NSPUserDetailsService" />
	</security:authentication-manager>




	<alias name="filterChainProxy" alias="springSecurityFilterChain" />

	<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
		<security:filter-chain-map path-type="ant">
			<security:filter-chain
				filters="securityContextFilter, logoutFilter, formLoginFilter, requestCacheFilter,
            servletApiFilter, anonFilter, sessionMgmtFilter, exceptionTranslator, filterSecurityInterceptor"
				pattern="/**" />
		</security:filter-chain-map>

	</bean>

	<bean id="securityContextFilter"
		class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
		<property name="securityContextRepository" ref="securityContextRepository" />
	
	</bean>
	<bean id="securityContextRepository"
		class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />

	<bean id="logoutFilter"
		class="org.springframework.security.web.authentication.logout.LogoutFilter">
		<constructor-arg value="/logged_out.htm" />
		<constructor-arg>
			<list>
				<bean
					class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
			</list>
		</constructor-arg>
	</bean>


	<bean id="formLoginFilter"
		class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
		<property name="authenticationManager" ref="NSPauthenticationManager" />
		<property name="authenticationSuccessHandler">
			<bean
				class="it.xxx.newstudentportal.security.NSPSavedRequestAwareAuthenticationSuccessHandler">
				<property name="alwaysUseDefaultTargetUrl" value="false"></property>
				<property name="defaultTargetUrl" value="/urtargetUrl" />
			</bean>
		</property>
		<property name="authenticationFailureHandler">
		<bean
				class="it.xxx.newstudentportal.security.NSPAuthenticationFailureHandler">
		</bean>
		</property>
		<property name="filterProcessesUrl" value="/j_spring_security_check"></property>

		<property name="sessionAuthenticationStrategy">
			<bean
				class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" >
				</bean>
				
		</property>
	</bean>

	<bean id="requestCacheFilter"
		class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter" >
		
		</bean>

	<bean id="servletApiFilter"
		class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter">
	</bean>

	<bean id="anonFilter"
		class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
		<property name="key" value="SomeUniqueKeyForThisApplication" />
		<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" />
	</bean>

	<bean id="sessionMgmtFilter"
		class="org.springframework.security.web.session.SessionManagementFilter">
		<constructor-arg ref="securityContextRepository" />
	</bean>

	<bean id="exceptionTranslator"
		class="org.springframework.security.web.access.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint">
			<bean
				class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
				<property name="loginFormUrl" value="/index.jsp" />
				<property name="forceHttps" value="false"></property>
				<!-- <property name="useForward" value="true"></property> -->
			</bean>
		</property>
	</bean>

	<bean id="filterSecurityInterceptor"
		class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
		<property name="securityMetadataSource">
			<security:filter-security-metadata-source>
				<!-- <sec:intercept-url pattern="/secure/extreme/*" access="ROLE_SUPERVISOR"/> -->
				<security:intercept-url pattern="/XXX.html*"
					access="IS_AUTHENTICATED_FULLY" />
				<security:intercept-url pattern="/index.jsp"
					access="IS_AUTHENTICATED_ANONYMOUSLY" />
				<!-- <security:intercept-url pattern="/**" access="ROLE_USER" /> -->
			</security:filter-security-metadata-source>
		</property>
		<property name="authenticationManager" ref="NSPauthenticationManager" />
		<property name="accessDecisionManager" ref="accessDecisionManager" />
	</bean>

	<bean id="accessDecisionManager"
		class="org.springframework.security.access.vote.AffirmativeBased">
		<property name="decisionVoters">
			<list>
				<bean class="org.springframework.security.access.vote.RoleVoter" />
				<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
			</list>
		</property>
	</bean>
</beans>

And then the successHandler Class:

Code:

import java.io.IOException;
import java.io.Writer;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;

import org.springframework.security.core.Authentication;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;

public class NSPSavedRequestAwareAuthenticationSuccessHandler extends
		SavedRequestAwareAuthenticationSuccessHandler {

	@Override
	public void onAuthenticationSuccess(HttpServletRequest request,
			HttpServletResponse response, Authentication authentication)
			throws ServletException, IOException {
		
		this.setRedirectStrategy(new RedirectStrategy() {
			
			@Override
			public void sendRedirect(HttpServletRequest request, HttpServletResponse response,
					String s) throws IOException {
				//do nothing, no redirect to make it working with extjs
				
			}
		});
		
		super.onAuthenticationSuccess(request, response, authentication);

		
		
		HttpServletResponseWrapper responseWrapper = new HttpServletResponseWrapper(
				response);


		Writer out = responseWrapper.getWriter();

		 out.write("{success:true}");
		 out.flush();
		 out.close();

		
		

	}
	
	
	

}

It's very important Overriding the sendRedirect Method to prevent Spring automatically returning page content in the output stream.
You can use Json Libs too (like Jackson) to return complex types.

Happy Coding

On Behalf of NSP 2010 Team