I'd like to track when users are logging in to my application. I have some code that I would like to execute right after the user is authenticated. The problem is, I can't figure out where this should be called. Does spring-security have a way to call a method after authentication?
There are multiple filters in spring security out of which one is the Authentication Filter, which initiates the process of authentication. Once the request passes through the authentication filter, the credentials of the user are stored in the Authentication object.
@Secured and @RolesAllowed are the same the only difference is @RolesAllowed is a standard annotation (i.e. not only spring security) whereas @Secured is spring security only. @PreAuthorize is different in a way that it is more powerful then the other 2. It allows for SpEL expression for a more fine-grained control.
Using @Secured Annotation. The @Secured annotation is used to specify a list of roles on a method. So, a user only can access that method if she has at least one of the specified roles.
Spring Security provides method level security using @PreAuthorize and @PostAuthorize annotations. This is expression-based access control. The @PreAuthorize can check for authorization before entering into method. The @PreAuthorize authorizes on the basis of role or the argument which is passed to the method.
probably will be usefull for someone... In case of Spring 3, configure security:
<security:http use-expressions="true" auto-config="true"> <security:intercept-url pattern="..."/> <security:form-login authentication-failure-handler-ref="authFailureHandler" authentication-success-handler-ref="authSuccessHandler"/> <security:logout success-handler-ref="logoutSuccessHandler" invalidate-session="true"/> <security:session-management session-fixation-protection="newSession"/> </security:http> <bean id="authFailureHandler" class="mine.AuthenticationFailureHandlerImpl"/> <bean id="authSuccessHandler" class="mine.AuthenticationSuccessHandlerImpl"/> <bean id="logoutSuccessHandler" class="mine.LogoutSuccessHandlerImpl"/>
and implement an appropriate class:
public class AuthenticationSuccessHandlerImpl implements AuthenticationSuccessHandler { @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { //do what you want with response.getOutputStream().write("success".getBytes()); } }
You can link resources via that xml config.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With