Menu
I'm developing gwt application which I want to secure using spring-security. I have users data in database and UserService is responsible for getting particular User. I have followed this tutorial
AuthenticationProvider:
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Autowired UserService userService;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = (String) authentication.getPrincipal();
String password = (String) authentication.getCredentials();
User user = userService.findByUserName(username);
if (user == null) {
throw new UsernameNotFoundException("User not found");
}
String storedPass = user.getPassword();
if (!storedPass.equals(password)) {
throw new BadCredentialsException("Invalid password");
}
Authentication customAuthentication = new CustomUserAuthentication(user, authentication);
customAuthentication.setAuthenticated(true);
return customAuthentication;
}
@Override
public boolean supports(Class<?> authentication) {
return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
}
}
CustomAuthentication
public class CustomUserAuthentication implements Authentication {
private static final long serialVersionUID = -3091441742758356129L;
private boolean authenticated;
private final GrantedAuthority grantedAuthority;
private final Authentication authentication;
private final User user;
public CustomUserAuthentication(User user, Authentication authentication) {
this.grantedAuthority = new SimpleGrantedAuthority(user.getRole().name());
this.authentication = authentication;
this.user = user;
}
@Override
public Collection<GrantedAuthority> getAuthorities() {
Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(grantedAuthority);
return authorities;
}
@Override
public Object getCredentials() {
return authentication.getCredentials();
}
@Override
public Object getDetails() {
return authentication.getDetails();
}
@Override
public Object getPrincipal() {
return user;
}
@Override
public boolean isAuthenticated() {
return authenticated;
}
@Override
public void setAuthenticated(boolean authenticated) throws IllegalArgumentException {
this.authenticated = authenticated;
}
@Override
public String getName() {
return user.getUsername();
}
}
security context:
<s:http auto-config="true" create-session="always" >
<s:intercept-url pattern="/index.html" access="ROLE_USER" />
<s:logout logout-success-url="/login.html"/>
<s:form-login login-page="/login.html" default-target-url="/index.html" authentication-failure-url="/login.html" />
</s:http>
<s:authentication-manager alias="authenticationManager">
<s:authentication-provider ref="customAuthenticationProvider" />
</s:authentication-manager>
<bean id="customAuthenticationProvider" class="com.example.server.security.CustomAuthenticationProvider" />
Everything works fine, spring intercept call to index.html i need to log and it redirects me back to index.html. The problem is when i log out and then go to index.html once again I just simply get access to it. I figured out that:
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
System.out.println("Logged as: " + auth.getName());
prints anonymousUser after logout. This code prints my user name when I log in again so I suppose that there is something wrong with intercepting anonymous user. Does anyone knows how to intercept anonymous user?
784
asked Feb 02 '26 18:02
Instead of:
<s:intercept-url pattern="/**" access="ROLE_USER" />
You can use:
<s:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY,ROLE_USER" />
That should make Spring Security deny access to the anonymous user. Of course, that implies you also need to add one of these:
<s:intercept-url pattern="/url_that_should_be_accessible_to_anonymous_user" access="IS_AUTHENTICATED_ANONYMOUSLY" />
For every pattern that anonymous users should be able to access. Typically, login pages, error pages, static resources (images, PDF, etc).
117
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
