Spring MVC + Spring Security login with a rest web service -

-

i have springmvc web application needs authenticate restful web service using spring security sending username , password. when user logged, cookie needs set user's browser , in subsequent calls user session validated restful web service using cookie.

i've been looking everywhere, have not been able find example on how accomplish this, , attempts have been in vain.

here have in mind:

i can have 2 authentication-providers declared, first checks cookie, , if fails reason goes second 1 checks username , password (will fail if there no username , password in request).

both services return authorities of user each time, , spring security "stateless".

on other hand, have questioned myself if approach correct, since it's been difficult find example or else same problem. approach wrong?

the reason why want instead of jdbc authentication because whole web application stateless , database accessed through restful web services wrap "petitions queue", i'd respect user authentication , validation too.

what have tried far? paste long long springsecurity-context.xml, i'll list them instead now:

  1. use custom authenticationfilter authenticationsuccesshandler. doesn't work because user logged in point.
  2. make implementation of entry-point-ref filter.
  3. do custom-filter in position basic_auth_filter
  4. make custom authentication provider (struggled lot no luck!). i'm retrying while answers.
  5. i starting use cas when decided write question instead. maybe in future can consider having cas server in webapp, moment, feels huge overkill.

thanks in advance!

btw, i'm using spring security 3.1.4 , spring mvc 3.2.3

edit: able @coder answer

here light on did, i'll try document , post here or in blog post sometime soon:

<http use-expressions="true" create-session="stateless" entry-point-ref="loginurlauthenticationentrypoint"         authentication-manager-ref="customauthenticationmanager">     <custom-filter ref="restauthenticationfilter" position="form_login_filter" />     <custom-filter ref="restpreauthfilter" position="pre_auth_filter" />     <intercept-url pattern="/signin/**" access="permitall" />     <intercept-url pattern="/img/**" access="permitall" />     <intercept-url pattern="/css/**" access="permitall" />     <intercept-url pattern="/js/**" access="permitall" />     <intercept-url pattern="/**" access="hasrole('role_user')" />  </http>  <authentication-manager id="authmanager" alias="authmanager">     <authentication-provider ref="preauthauthprovider" /> </authentication-manager>  <beans:bean id="restpreauthfilter" class="com.company.custompreauthenticatedfilter">     <beans:property name="cookiename" value="sessioncookie" />     <beans:property name="checkforprincipalchanges" value="true" />     <beans:property name="authenticationmanager" ref="authmanager" /> </beans:bean>  <beans:bean id="preauthauthprovider"     class="com.company.custompreauthprovider">     <beans:property name="preauthenticateduserdetailsservice">         <beans:bean id="userdetailsservicewrapper"             class="org.springframework.security.core.userdetails.userdetailsbynameservicewrapper">             <beans:property name="userdetailsservice" ref="userdetailsservice" />         </beans:bean>     </beans:property> </beans:bean>  <beans:bean id="userdetailsservice" class="com.company.customuserdetailsservice" />  <beans:bean id="loginurlauthenticationentrypoint"     class="org.springframework.security.web.authentication.loginurlauthenticationentrypoint">     <beans:constructor-arg value="/signin" /> </beans:bean>  <beans:bean id="customauthenticationmanager"     class="com.company.customauthenticationmanager" />  <beans:bean id="restauthenticationfilter"     class="com.company.customformloginfilter">     <beans:property name="filterprocessesurl" value="/signin/authenticate" />     <beans:property name="authenticationmanager" ref="customauthenticationmanager" />     <beans:property name="authenticationfailurehandler">         <beans:bean             class="org.springframework.security.web.authentication.simpleurlauthenticationfailurehandler">             <beans:property name="defaultfailureurl" value="/login?login_error=t" />         </beans:bean>     </beans:property> </beans:bean>

and custom implementations this:

// here, idea write authenticate method , return new usernamepasswordauthenticationtoken public class customauthenticationmanager implements authenticationmanager { ... }  // write attemptauthentication method , return usernamepasswordauthenticationtoken  public class customformloginfilter extends usernamepasswordauthenticationfilter { ... }  // write getpreauthenticatedprincipal , getpreauthenticatedcredentials methods , return cookiename , cookievalue respectively public class custompreauthenticatedfilter extends abstractpreauthenticatedprocessingfilter { ... }  // write authenticate method , return authentication auth = new usernamepasswordauthenticationtoken(name, token, grantedauths); (or null if can't pre-authenticated) public class custompreauthprovider extends preauthenticatedauthenticationprovider{ ... }  // write loaduserbyusername method , return new userdetails user = new user("hectorg87", "123456", collections.singletonlist(new grantedauthorityimpl("role_user"))); public class customuserdetailsservice implements userdetailsservice { ... }

  1. you can define custom pre-auth filter extending abstractpreauthenticatedprocessingfilter.
  2. in implementation of getpreauthenticatedprincipal() method can check if cookie exists , if exists return cookie name principal , cookie value in credentials.
  3. use preauthenticatedauthenticationprovider , provide custom preauthenticateduserdetailsservice check if cookie vali, if valid fetch granted authorities else throw authenticationexception badcredentialsexception
  4. for authenticating user using username/password, add form-login filter, basic-filter or custom filter custom authentication provider (or custom userdetailsservice) validate user/password

in case cookie exists, pre auth filter set authenticated user in springcontext , username./password filter not called, if cookie misisng/invalid, authentication entry point trigger authentication using username/password

hope helps


Comments

Post a Comment

Popular posts from this blog

ios - UICollectionView Self Sizing Cells with Auto Layout -

-
Image
i'm trying self sizing uicollectionviewcells working auto layout, can't seem cells size content. i'm having trouble understanding how cell's size updated contents of what's inside cell's contentview. here's setup i've tried: custom uicollectionviewcell uitextview in contentview. scrolling uitextview disabled. the contentview's horizontal constraint is: "h:|[_textview(320)]", i.e. uitextview pinned left of cell explicit width of 320. the contentview's vertical constraint is: "v:|-0-[_textview]", i.e. uitextview pinned top of cell. the uitextview has height constraint set constant uitextview reports fit text. here's looks cell background set red, , uitextview background set blue: i put project i've been playing on github here . updated ios 9 after seeing github solution break under ios 9 got time investigate issue fully. have updated repo include several examples of different configurations s
Read more

node.js - ldapjs - write after end error -

-
i have created authentication service using following code in node.js , ldapjs. var when = require ('when'); var authenticationerror = require('../errors/authenticationerror'); var sessionmanagerservice = require('./sessionmanagerservice'); var ldap = require('ldapjs'); var client = ldap.createclient({ url: 'ldaps://ad.mycompany.com:636', tlsoptions: {'rejectunauthorized': false} }); module.exports = { signin: function (email, password) { return this.ldapbind(email, password).then( function () { return sessionmanagerservice.createsessionhash({email: email}); } ); }, ldapbind: function (email, password) { var deferred = when.defer(); client.bind(email, password, function(err) { if (err) { deferred.reject (new authenticationerror('invalid username and/or password!', 'authentication.signin.error')
Read more

DOM Manipulation in Wordpress (and elsewhere) using php -

-
DOM Manipulation in Wordpress (and elsewhere) using php - i'm quite new dom manipulation world , head start in order avoid mutual errors. i looking efficient way manipulate content generated wordpress using php. @ moment using simple html dom seems work fine. found domdocument , few others , helpfull if cleared out 1 faster, improve or @ to the lowest degree generate less errors in case of bad markup. also on side can explain syntax (instead of $html @$html) thank much php wordpress domdocument simple-html-dom
Read more