I currently have a setup that looks something like this:
spring-security.xml:
<http auto-config="true">
<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login"
default-target-url="/main.html"
authentication-failure-url="/failedLogin"/>
<logout logout-url="/logout.html" logout-success-url="/login" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="foo" password="bar" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
This all seems to work as expected, however, in special situations I want the login page to be bypassed if the user passes in a special token. So currently, if the user goes to a url such as /dog
, they will see the login page and if they pass in the credentials of foo/bar
then they will be logged in and see the page corresponding to /dog
.
I want the ability to use a URL such as /dog?token=abcd
which will bypass the login screen and take them directly to the page corresponding to /dog
. If they provide an invalid token then they would just see an access denied page.
Solution. Review the existing Spring Security's authentication class, the “locked” feature is already implemented. To enable the limit login attempts, you need to set the UserDetails. isAccountNonLocked to false.
configure. Deprecated. Used by the default implementation of authenticationManager() to attempt to obtain an AuthenticationManager . If overridden, the AuthenticationManagerBuilder should be used to specify the AuthenticationManager .
j_spring_security_check is a Servlet where the actual authentication is made and you must map the action of your login form to this Servlet.
In Spring Security the scenario you want to cover is described in reference manual, chapter Pre-Authentication Scenarios.
Basically you have to:
AbstractPreAuthenticatedProcessingFilter
or choosing one of its implementations,<custom-filter position="PRE_AUTH_FILTER" ref="yourPreAuthFilter" />
, AuthenticationUserDetailsService
s,PreAuthenticatedAuthenticationProvider
(with <property name="yourPreAuthenticatedUserDetailsService">
).EDIT: In this answer OP shows his way of implementig custom PRE_AUTH_FILTER
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With