Menu
I want to use a custom authentication filter that:
I want to be able to use this security context holder to get the details about the current requesting user correctly handle their requests.
@RequestMapping(value = "/simple", method = RequestMethod.POST)
@ResponseBody
@Transactional
@Preauthorize(...)
public String simple(){
//collect the user's current details from the getPrinciple() and complete the transaction...
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
return "Simple";
}
I have done this before in XML like so:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<security:global-method-security
secured-annotations="enabled" />
<security:http pattern="/**"
auto-config="true" disable-url-rewriting="true" use-expressions="true">
<security:custom-filter ref="authenticationTokenProcessingFilter"
position="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/authenticate"
access="permitAll" />
<security:intercept-url pattern="/secure/**"
access="isAuthenticated()" />
</security:http>
<bean id="CustomAuthenticationEntryPoint" class="org.foo.CustomAuthenticationEntryPoint" />
<bean class="org.foo.AuthenticationTokenProcessingFilter" id="authenticationTokenProcessingFilter">
<constructor-arg ref="authenticationManager" />
</bean>
</beans>
However, I want this to work with a newer Spring Boot application in a non-xml WebSecurityConfigurerAdapter like the example in their Spring Boot files:
@Bean
public ApplicationSecurity applicationSecurity() {
return new ApplicationSecurity();
}
@Order(Ordered.LOWEST_PRECEDENCE - 8)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// this is obviously for a simple "login page" not a custom filter!
http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin()
.loginPage("/login").failureUrl("/login?error").permitAll();
}
}
Any advice or similar examples out there?
563
Java-based configuration option enables you to write most of your Spring configuration without XML but with the help of few Java-based annotations explained in this chapter.
Is it possible to avoid using xml in Spring or better to mix xml files and annotations? Yes, it is. Spring now promotes Java configuration, and it's perfectly doable (I'm doing it) and even easy to only use Java to configure your Spring app. Even without using Boot.
If you find that specific auto-configure classes are being applied that you don't want, you can use the exclude attribute of @EnableAutoConfiguration to disable them. If the class is not on the classpath, you can use the excludeName attribute of the annotation and specify the fully qualified name instead.
I am doing something similar now. Someone might find this helpful in the future. Doing an xml to java config translation would make it look like the following:
import javax.servlet.Filter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@EnableGlobalMethodSecurity(securedEnabled=true) //<security:global-method-security secured-annotations="enabled" />
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("authenticationTokenProcessingFilter")
private Filter authenticationTokenProcessingFilter;
@Autowired
private AuthenticationEntryPoint entryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.exceptionHandling().authenticationEntryPoint(entryPoint);
http //auto-config="true"
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.httpBasic();
http
.authorizeRequests() // use-expressions="true"
.antMatchers("/authenticate").permitAll() //<security:intercept-url pattern="/authenticate" access="permitAll" />
.antMatchers("/secure/**").authenticated() //<security:intercept-url pattern="/secure/**" access="isAuthenticated()" />
.and()
.addFilterBefore(authenticationTokenProcessingFilter, UsernamePasswordAuthenticationFilter.class) // <security:custom-filter ref="authenticationTokenProcessingFilter" position="FORM_LOGIN_FILTER" /> http://docs.spring.io/spring-security/site/docs/3.0.x/reference/ns-config.html
;
}
}
This should interest you:
Security Method Annotations with Java Configuration and Spring Security 3.2
and
http://spring.io/blog/2013/07/04/spring-security-java-config-preview-method-security/
From what you are doing I dont see this annotation in the code you posted.
**@EnableGlobalMethodSecurity**
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
