Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Auto login with spring security

Tags:

java

servlets

spring-security

I have an application which uses spring-security. In my signup process, a new user entity gets persisted with the HASHED password, an email containing an activation token is the sent to the user. Clicking on this token directs the user to a UserActivationServlet which looks up the user by the token, activates the user and redirects them to the application. I would like to automatically log the user into the application and have included this method in my servlet to do this

    private void authenticateUserAndSetSession(HttpServletRequest request, User u) {
    UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
            u.getUsername(), u.getPassword()); //PROBLEM: THIS PASSWORD IS HASHED

    // generate session if one doesn't exist
    request.getSession();

    token.setDetails(new WebAuthenticationDetails(request));
    Authentication authenticatedUser = authenticationManager.authenticate(token);

    SecurityContextHolder.getContext().setAuthentication(authenticatedUser);
    request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY,
            SecurityContextHolder.getContext());
}

The problem here is that that the password field on the User entity has been hashed when it was created. So the only other option I can think of is to pass the unhashed password as a request parameter to the servelet (nasty!)

Have I missed something, is there another way of pre-authenticating the user?

Thanks

like image 587
Clinton Bosch Avatar asked Jul 05 '11 10:07

Clinton Bosch

People also ask

Does Spring Security use default login form?

Spring security secures all HTTP endpoints by default. A user has to login in a default HTTP form. To enable Spring Boot security, we add spring-boot-starter-security to the dependencies.

1 Answers

The user has clicked on the activation link and we have looked him up so clearly we have a valid user, so there is no need to re-authenticate him with the authenticationManager and so no need to use credentials when creating the Token, just create it as follows:

PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken( p, null, p.getAuthorities());
like image 63
Clinton Bosch Avatar answered Oct 03 '22 20:10

Clinton Bosch
Sign in to Comment

Related questions

Subclassing org.apache.log4j.Logger without altering %C?
how to configure java junit with Teamcity?
diff_match_patch: Generating side-by-side view
How to use JNA in .dll and .so with the same callback signature
Java Jersey: Receive form parameter as byte array
How do I find the retweet count with Twitter4J?
How do I return a (custom) SOAPFault from an Axis web service?
Pl/sql %RowType in JDBC
How to generate Checkstyle reports?
Ignore junit tests via @ExcludeCategory within a test suite
Can Java interact with System V linux message queues?
Making Swing components synchronized
Using JavaCompiler in an OSGi Bundle
Bloom filter in Java
Approximate searching against a list of strings
Java: List Cameras that are Plugged In
What will make backward compatibility impossible?
Is there a JNLP Un-install event?
Does the CLR/JVM keep one single intern pool for all running .net/java apps?
Multidimensional polynomial regression (preferably C/C++, Java or Scala)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!