Spring 3.0 Security - Authorization with Authentication

Question

I am new to Spring and my requirement is that I do not want to authenticate the user with username and password. The user is authenticate is some other application and my app get the request with folloing details:

1. User name
2. Roles

I just want use Spring Security to secure the pages according to the roles in the request. I've given a thought about writing UserDetailService, but that only add request-data, Spring still ask for authentication information. Then I thought about writing something like the following:

public class UserLogin {

/*
@Resource(name = "userDetailsService")
private UserDetailsService userDetailsService;
*/

@Resource(name = "authenticationManager")
private AuthenticationManager authenticationManager;

public boolean login(UserEntity user) {

    //UserDetails ud = userDetailsService.loadUserByUsername(username);

    Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
    for (String role : user.getAuthorities()) {
        authorities.add(new GrantedAuthorityImpl(role));
    }

    UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword(), authorities);

    try {
        Authentication auth = authenticationManager.authenticate(token);

        SecurityContext securityContext = new SecurityContextImpl();

        // Places in ThredLocal for future retrieval
        SecurityContextHolder.setContext(securityContext);
        SecurityContextHolder.getContext().setAuthentication(auth);

    } catch (AuthenticationException e) {
        return false;
    }

    return true;
}
}

Am I going in the right direction. If so, how to configure the whole thing .. in spring-xml .

Answer 1

You're in what's called a Pre-Authentication scenario, where you configure Spring Security to only Authorize access, not Authenticate access. See http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html. Here is a full configuration, where you need to implement AbstractPreAuthenticatedProcessingFilter to grep your authentication scheme's UserPrincipal, and the custom UserDetailsService you mention above.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<security:global-method-security secured-annotations="enabled" />

<beans:bean id="preAuthenticatedProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />

<security:http auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
    <security:custom-filter position="PRE_AUTH_FILTER" ref="myCustomPreAuthFilter" />
</security:http>

<beans:bean id="myCustomPreAuthFilter" class="com.mypackage.MyCustomPreAuthFilter">
    <beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>

<beans:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <beans:property name="preAuthenticatedUserDetailsService">
        <beans:bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <beans:property name="userDetailsService" ref="myCustomUserDetailsService"/>
        </beans:bean>
    </beans:property>
</beans:bean>