Automatic login after account creation

**smitty22s** · Dec 3rd, 2010, 04:12 PM

Hello,

I'm trying to determine what is the "correct" way to perform an automatic login after creating a new user account: programmatically inside the action or by Spring security filter outside of the action.

Currently we are using Spring Security and Struts 2. We are doing something very similar to what was suggested in this thread when creating a new user account: http://forum.springsource.org/showthread.php?t=28165. That is, inside the Struts action we programmatically authenticate the user and update the Security Context (and it works).

However, the question was raised on my project that we are not using Spring Security correctly by doing it that way, that it would be preferable to not programmatically authenticate the user inside the action, but rather allow Spring Security to perform the authentication from a filter.

Is that true? Would that mean the password would have to get passed with a GET? Is the programmatic authentication actually preferred?

Any insight/advice is appreciated. Thanks!

**Luke Taylor** · Dec 6th, 2010, 07:48 AM

There's no point in using a filter to authenticate someone unless you want to have them explicitly re-enter the data after they have registered.

You may want to use the AuthenticationManager to do the programmatic authentication, in order to tie into the event infrastructure, but it's up to you, depending on your requirements.

**smitty22s** · Dec 6th, 2010, 10:54 AM

Originally Posted by Luke Taylor

You may want to use the AuthenticationManager to do the programmatic authentication, in order to tie into the event infrastructure, but it's up to you, depending on your requirements.

Thanks for the response. Yes we are currently using the AuthenticationManager which is injected into the action that creates the account.

So doing something like the following is the best practice with spring security after account creation?

Code:

UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user, pw);
token.setDetails(new WebAuthenticationDetails(request));
Authentication authentication = authenticationManager.authenticate(token);
authInitializer.initializeAuthenticatedUser(request, authentication);
SecurityContextHolder.getContext().setAuthentication(authentication);

**jnusaira** · Dec 10th, 2010, 06:05 PM

I've had this same issue before.

And resolving just being logged in is easy (like what you have above ... not exact but it was like that)

However i also wanted the LoginLIsteners to fire ... not sure how to make them fire

**namero999** · Jan 18th, 2011, 09:41 AM

I'm facing this problem and this looks like a good solution, will try this code as soon as I'm home, in the meantime I'd like a clarification about that "authInitializer" reference. Is it something related to your very own project or is it a class of Spring Security?

Thank you

**smitty22s** · Jan 18th, 2011, 10:58 AM

Originally Posted by namero999

I'd like a clarification about that "authInitializer" reference. Is it something related to your very own project or is it a class of Spring Security?

Yes sorry for the confusion, but you're right. The authInitializer class is not part of Spring.

Cheers

Thread: Automatic login after account creation

Thread Tools

Display

Automatic login after account creation

Tags for this Thread

Posting Permissions