I currently have a setup that looks something like this: spring-security.xml: <pre class="prettyprint"><code><http auto-config="true"> <intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/**" access="ROLE_USER" /> <form-login login-page="/login" default-target-url="/main.html" authentication-failure-url="/failedLogin"/> <logout logout-url="/logout.html" logout-success-url="/login" /> </http> <authentication-manager> <authentication-provider> <user-service> <user name="foo" password="bar" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager> </code></pre> web.xml: <pre class="prettyprint"><code><filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </code></pre> This all seems to work as expected, however, in special situations I want the login page to be bypassed if the user passes in a special token. So currently, if the user goes to a url such as <code>/dog</code>, they will see the login page and if they pass in the credentials of <code>foo/bar</code> then they will be logged in and see the page corresponding to <code>/dog</code>. I want the ability to use a URL such as <code>/dog?token=abcd</code> which will bypass the login screen and take them directly to the page corresponding to <code>/dog</code>. If they provide an invalid token then they would just see an access denied page.

In Spring Security the scenario you want to cover is described in reference manual, chapter Pre-Authentication Scenarios. Basically you have to: <ul> <li>create custom filter by extending <code>AbstractPreAuthenticatedProcessingFilter</code> or choosing one of its implementations,</li> <li>register custom filter <code><custom-filter position="PRE_AUTH_FILTER" ref="yourPreAuthFilter" /></code>, </li> <li>implement or choose one of implemented <code>AuthenticationUserDetailsService</code>s,</li> <li>register the service in <code>PreAuthenticatedAuthenticationProvider</code> (with <code><property name="yourPreAuthenticatedUserDetailsService"></code>).</li> </ul> EDIT: In this answer OP shows his way of implementig custom <code>PRE_AUTH_FILTER</code>.

Spring Security: Ignore login page by using a special URL parameter

I currently have a setup that looks something like this:

spring-security.xml:

<http auto-config="true">
    <intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/**" access="ROLE_USER" />
    <form-login login-page="/login"
                default-target-url="/main.html"
                authentication-failure-url="/failedLogin"/>
    <logout logout-url="/logout.html" logout-success-url="/login" />
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="foo" password="bar" authorities="ROLE_USER" />                
        </user-service>
    </authentication-provider>
</authentication-manager>

web.xml:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

This all seems to work as expected, however, in special situations I want the login page to be bypassed if the user passes in a special token. So currently, if the user goes to a url such as /dog, they will see the login page and if they pass in the credentials of foo/bar then they will be logged in and see the page corresponding to /dog.

I want the ability to use a URL such as /dog?token=abcd which will bypass the login screen and take them directly to the page corresponding to /dog. If they provide an invalid token then they would just see an access denied page.

How do I limit the number of login attempts in Spring Security?

Solution. Review the existing Spring Security's authentication class, the “locked” feature is already implemented. To enable the limit login attempts, you need to set the UserDetails. isAccountNonLocked to false.

What is the use of Websecurityconfigureradapter in Spring Boot?

configure. Deprecated. Used by the default implementation of authenticationManager() to attempt to obtain an AuthenticationManager . If overridden, the AuthenticationManagerBuilder should be used to specify the AuthenticationManager .

What is the use of J_spring_security_check?

j_spring_security_check is a Servlet where the actual authentication is made and you must map the action of your login form to this Servlet.

In Spring Security the scenario you want to cover is described in reference manual, chapter Pre-Authentication Scenarios.

Basically you have to:

create custom filter by extending AbstractPreAuthenticatedProcessingFilter or choosing one of its implementations,
register custom filter <custom-filter position="PRE_AUTH_FILTER" ref="yourPreAuthFilter" />,
implement or choose one of implemented AuthenticationUserDetailsServices,
register the service in PreAuthenticatedAuthenticationProvider (with <property name="yourPreAuthenticatedUserDetailsService">).

EDIT: In this answer OP shows his way of implementig custom PRE_AUTH_FILTER.

Spring Security: Ignore login page by using a special URL parameter

Tags:

java

spring

spring-security

digiarnie

People also ask

1 Answers

Xaerxess

Recent Activity

Donate For Us

Spring Security: Ignore login page by using a special URL parameter

Tags:

java

spring

spring-security

digiarnie

People also ask

1 Answers

Xaerxess

Related questions

Recent Activity

Donate For Us