My requirement is to provide:
in the same project.
I have tried to plug in Spring security into an existing project as (code stripped down for simplicity):
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=
"http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
<http auto-config="false">
<remember-me user-service-ref="rememberMeUserService" key="some custom key" /> <!-- TODO: Key made for testing reasons.... -->
<intercept-url pattern='/mainApplication/Main screen.html' access="ROLE_ADMIN"/>
<intercept-url pattern='/**' filters="none"/> <!-- Allow entry to login screen -->
<openid-login authentication-failure-url="/Login.html?error=true" default-target-url="/mainApplication/Main screen.html" user-service-ref="openIdUserService"/>
<form-login login-page="/Login.html" authentication-failure-url="/Login.html?error=true" always-use-default-target="true" default-target-url="/mainApplication/Main screen.html"/>
</http>
<beans:bean id="rememberMeUserService" class="mypackage.CustomUserService">
<beans:property name="usersService" ref="usersService"></beans:property>
</beans:bean>
<!-- Common login shared entry-point for both Form and OpenID based logins -->
<beans:bean id="entryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<beans:property name="loginFormUrl" value="/Login.html" />
</beans:bean>
<authentication-manager alias="authenticationManager"/>
<beans:bean id="MyCustomAuthenticationProvider" class="mypackage.CustomAuthenticationProvider">
<custom-authentication-provider />
<beans:property name="usersService" ref="usersService"></beans:property>
</beans:bean>
<beans:bean id="openIdAuthenticationProvider" class="org.springframework.security.providers.openid.OpenIDAuthenticationProvider">
<custom-authentication-provider />
<beans:property name="userDetailsService" ref="openIdUserService"/>
</beans:bean>
<beans:bean id="openIdUserService" class="mypackage.OpenIDUserDetailsService">
<beans:property name="usersService" ref="usersService"/>
</beans:bean>
<!-- Great, now i want to include SSO based sign on -->
<!-- need to intercept a url of the form : /myApp/customLogin/<key> where <key> is my token key -->
</beans:beans>
as mentioned above, i need to track a url of the form : /myApp/customLogin/12345 where 1235 is the token key, we were initially using (code stripped down for simplicity)
<servlet-mapping>
<servlet-name>mySSOCapture</servlet-name>
<url-pattern>/myApp/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MyServlet</servlet-name>
<url-pattern>/MyServlet</url-pattern>
</servlet-mapping>
What should i do here to enable spring security to help me manage this third authentication scheme ?
a corollary question is : can i have many authentication providers in the same project ? if yes, then how can they be matched to different functionalities (eg one providing url based authentication, one providing anonomous auth, etc) ?
There are basically 2 ways to implement spring security. through bean configuration in . xml files and other by using Annotations.
For a quick demonstration, we'll configure two authentication providers – a custom authentication provider and an in-memory authentication provider.
The Authentication Provider Spring Security provides a variety of options for performing authentication. These options follow a simple contract; an Authentication request is processed by an AuthenticationProvider, and a fully authenticated object with full credentials is returned.
The Authentication Manager is only a interface and actual implementation of the authenticate method is provided by the ProviderManager. The ProviderManager has a list of AuthenticationProviders. From it's authenticate method it calls the authenticate method of the appropriate AuthenticateProvider.
Can't answer the question directly, but a 'helpful hint' from the Identity Management sector: Not all authentication systems have the same trust value - It is a serious breach of good security design to treat them equally.
I hope this helps with your design...
There are probably several ways to do this. There is some functionality that does something very similar, namely Pre-authentication. It's a good example of a way that you can add a custom filter that authenticates the user, after which the rest of the framework should take over.
What an AuthenticationProvider
does is examine the Authentication
object that is loaded into the session by a previous filter. You can register as many authentication providers as you want with the authentication manager (which simply runs the Authentication
object through all of them), but you have to manage to get some filter in there that will handle your authentication scheme and populate the Authentication
object. If you want this filter to also interact with the user (i.e. show a login form or something) it might interfere with other filters. In that case you can use separate filter chains, but this doesn't sound like it would be necessary in your case.
Okay, here is the solution:
<beans:bean id="mySsoFilter" class="somePackage.MySsoProcessingFilter">
<custom-filter after="CAS_PROCESSING_FILTER"/> <!-- Just a reference Point-->
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="defaultTargetUrl" value='/mainApplication/Main screen.html' />
<beans:property name="authenticationFailureUrl" value="/Login.html?error=true"/>
</beans:bean>
Hope this helps someone in need...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With