Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring security pre-authentication for development mode

Tags:

java

spring

spring-security

While developing an application it's quite useful to be able to quickly login as different users, with different roles, to see how the application presents itself.

Typing usernames and entering password is no fun, and a waste of time. What I'd like to do is:

  • add a page/panel with a list of available usernames;
  • clicking on a username will generate an event for Spring security which allows it to recognize the user as authenticated, without entering passwords;
  • after clicking the link I am authenticated as the specified user.

N.B.: Passwords are hashed and submitted in plain-text using forms, so encoding the passwords in the links is not an option.

Obviously this feature will only be present at development time.

How can I achieve this?

like image 204
Robert Munteanu Avatar asked Jul 01 '09 08:07

Robert Munteanu

People also ask

Is WebSecurityConfigurerAdapter deprecated?

From Spring Boot 2.7, WebSecurityConfigurerAdapter is deprecated.

What is pre authentication in Spring?

There are situations where you want to use Spring Security for authorization, but the user has already been reliably authenticated by some external system prior to accessing the application. We refer to these situations as “pre-authenticated” scenarios.

Does Spring Security use default login form?

In this configuration Spring Security will render a default log in page. Most production applications will require a custom log in form. The configuration below demonstrates how to provide a custom log in form. public SecurityFilterChain filterChain(HttpSecurity http) { http .

2 Answers

Use InMemoryDaoImpl for development mode. It is very easy to create users and passwords stored in memory:

<bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
  <property name="userMap">
    <value>
      admin=admin,ROLE_ADMIN,ROLE_USER
      user1=user1,ROLE_USER
      user2=user2,ROLE_USER
    </value>
  </property>
</bean>

In development mode inject this to your authentication provider. In production replace it with the proper DB or LDAP implementation.

like image 136
kgiannakakis Avatar answered Oct 24 '22 10:10

kgiannakakis

I have done it this way for an web application:

I have a configuration parameter in context.xml of the server (of course only in the development server). This parameter contains a coma seperated list of usernames and passwords.

The login page (jsp(x)) simply add a extra form and submit button for each username, password item form the context parameter. So if a user clicks on that button the normal login process with the predefined login data is trigged.

Server context.xml

...
<Context>
    ...
    <Parameter name="quickLogin"
               value="admin:passwd,user:otherPasswd"
               override="false" />
</Context>

login.jspx

...
<!-- Login for debugging purposes -->     
<c:forTokens items="${initParam.quickLogin}" delims="," var="loginPassword">
    <c:set var="login" value="${fn:split(loginPassword, ':')[0]}" />
    <c:set var="password" value="${fn:split(loginPassword, ':')[1]}" />

    <form name="debugLogin" action="${form_url}" method="POST" >
        <crsf:hiddenCrsfNonce/>
        <input type="hidden" name='j_username' value="${fn:escapeXml(login)}" />
        <input type="hidden" name='j_password' value="${fn:escapeXml(password)}" />
        <input type="submit" value="${fn:escapeXml(login)} login" />
    </form>
</c:forTokens>
...
like image 2
Ralph Avatar answered Oct 24 '22 10:10

Ralph
Sign in to Comment

Related questions

Java VNC Applet vs Screen Capture
Capture JSP output, save to file
Setting JAVA_HOME when running Ant from Java
Java Keylistener without window being open?
Java SOAP Server that can be deployed in Tomcat, JBoss, Geronimo, etc. etc. etc
Recursive data processing performance using Java and SQLite
How can I change annotations/Hibernate validation rules at runtime?
Java - local class and generics, why compiler warning?
annotations in Spring MVC
Spring Web Flow - How can I set up unit test with values already in conversationScope?
adding relative directory to java classpath and using ClassLoader().getResourceAsStream("")
SQL sort with limit? (non trivial)
Eclipse and clip board
Pure Java open-source libraries for portfolio selection (= constrained, non-linear optimization)? [closed]
A class that behaves like @Entity and @Embeddable
Authenticate linux based user in java
GWT Visualisation API DataTable Serialization
Java error: java.lang.IllegalArgumentException: Signal already used by VM: INT
Java JTable getting the data of the selected row
Combining java.util.Dates to create a date-time

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!