Pre-Authentication without Authorization using Spring Security

Question

My requirement is:

In my application, the authentication is performed by customized third party API for the first time when the user logs in via login screen(not by using Spring Security). Now, we got few enhancements in which the rest service calls are used. Per the requirement, before making any rest call from our application, we need to reauthenticate the user against the database. Since the user is already validated when he logged in using login screen and those details are available in the request, I am planning to use spring security for reauthenticating the user(Pre-Authentication scenario).We don't have any roles defined for the users in our application. So no need to worry about the roles. I have read the reference manual, but I didn't get much info on how to proceed further. One thing I understood is we need to tell the spring context somehow about the user after he is authenticated by customized third party API. Even I have googled a bit around, but could not get a good example that suits my requirement. It would be great if anybody can guide me on how to start with an example.

I just need to tell the spring context something like "hey..! this user is already authenticated so he can be permitted to call the rest services after the user's credentials are verified by the customized third party API.

I am not supposed to change the existing initial authentication process. I should only use the authenticated user info and use the spring security further to reauthenticate the user.

My issue is some what similar to the issue mentioned in the spring reference manual http://docs.spring.io/spring-security/site/docs/3.0.x/reference/preauth.html

Please don't answer with single line (except if it has a proper external link).It would be great if you can show me an example or pseudo code.

Thanks in advance.

Answer 1

I'd suggest to make a "bridge" from Spring Security to the 3rd party login page. If you work with Spring, I think this is the best way to work.

Meaning, you have a login handler that will redirect the user to the 3rd party login page. After logging-in, the user will be redirected back to the web-app.

Is this what you mean? Does it sound good? Does it make sense?

If so, you may use my article to get some help:

<security:http entry-point-ref="legacyEntryPoint">

Generally, it means that whenever a relevant http call tries to access your app, this is the entry-point that handles the request. In your case, legacyEntryPoint is a class that you will implement that will check if the user is authenticated; if not, it redirects the user to the 3rd party login system, otherwise it uses the known "token" to use your app.

Hope that helps!