Menu
My application requirements are that I need to parse some information from the http request url in order to authenticate the user. Obviously I just cannot use an implementation of UserDetailsService.
My question is, how can implement a UserDetailsService (or equivalent authentication scheme) that needs access to the HttpServletRequest?
My Spring Security version is 3.0.7.RELEASE
452
Simply put, Spring Security hold the principal information of each authenticated user in a ThreadLocal – represented as an Authentication object. In order to construct and set this Authentication object – we need to use the same approach Spring Security typically uses to build the object on a standard authentication.
There's a very similar question in the Spring Security FAQ.
You can inject a custom AuthenticationDetailsSource into the authentication filter to extract additional relevant information from the incoming request. This information can then be obtained from the submitted Authentication object in a custom AuthenticationProvider.
190
One of possible solutions is to use RequestContextFilter. You can define it in web.xml as on the following snippet:
<filter>
<filter-name>requestContextFilter</filter-name>
<filter-class>org.springframework.web.filter.RequestContextFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>requestContextFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
or if you just need it for some security issues then the better place is to put it to Spring Security config file, as on the following example:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http>
<custom-filter ref="requestContextFilter" before="FORM_LOGIN_FILTER"/>
<form-login login-page="/login" authentication-failure-url="/login?error=failed" />
</http>
<beans:bean id="requestContextFilter" class="org.springframework.web.filter.RequestContextFilter"/>
<authentication-manager alias="authManager">
<authentication-provider ref="authProvider" />
</authentication-manager>
<beans:bean id="authProvider" class="my.company.CustomAuthProvider" />
</beans:beans>
Then you can use RequestContextHolder.currentRequestAttributes() method in Spring Security classes. For example as follows:
public class CustomAuthProvider extends DaoAuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
System.err.println(attr.getRequest().getParameter("myParameterName"));
return super.authenticate(authentication);
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
