Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring Security - Programmatic login without a password

Tags:

spring-mvc

spring-security

I am trying to perform an automatic login when the user clicks a link in their email with Spring Security.

I have seen a lot of examples to perform a programmatic login like the following:

UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password);
try {
    Authentication auth = authenticationManager.authenticate(token);
    SecurityContextHolder.getContext().setAuthentication(auth);
    repository.saveContext(SecurityContextHolder.getContext(), request, response);
    rememberMeServices.loginSuccess(request, response, auth);
 ....

The problem I see is that I do not have the original password so I can't create a UsernamePasswordAuthenticationToken. Any other way to login the user if I do not have the plain text password (I have the one that is encoded)?

Thanks in advance.

like image 349
Agustin Lopez Avatar asked Jul 03 '12 14:07

Agustin Lopez

People also ask

Does Spring Security use default login form?

Spring security secures all HTTP endpoints by default. A user has to login in a default HTTP form. To enable Spring Boot security, we add spring-boot-starter-security to the dependencies.

How does Spring Security authentication work internally?

The Spring Security Architecture There are multiple filters in spring security out of which one is the Authentication Filter, which initiates the process of authentication. Once the request passes through the authentication filter, the credentials of the user are stored in the Authentication object.

1 Answers

Be careful that you know what you are doing in terms of allowing login from a link within an email. SMTP is not a secure protocol and so it is typically bad to rely on someone having an email as a form of authentication.

You do not need to use the AuthenticationManager if you already know they are authenticated. Instead you can just set the Authentication directly as shown below:

Authentication authentication = new UsernamePasswordAuthenticationToken(user, null,
    AuthorityUtils.createAuthorityList("ROLE_USER"));
SecurityContextHolder.getContext().setAuthentication(authentication);

If you want a complete example, you can refer to the SignupController in the secure mail application that was the basis for Getting Started with Spring Security 3.1 (InfoQ video of presentation).

like image 123
Rob Winch Avatar answered Oct 17 '22 03:10

Rob Winch
Sign in to Comment

Related questions

Spring MVC - AngularJS - File Upload - org.apache.commons.fileupload.FileUploadException
run spring batch job from the controller
How to configure a default @RestController URI prefix for all controllers?
Spring MVC @RequestMapping headers can accept only one value?
mybatis spring mvc application, getting Invalid bound statement (not found)
@RequestParam defaultvalue does not accept enum value as a default value
How do I receive a file upload in spring mvc using both multipart/form and chunked encoding?
Spring @RequestBody containing a list of different types (but same interface)
Can I make a custom controller mirror the formatting of Spring-Data-Rest / Spring-Hateoas generated classes?
ConversionService in Spring
Passing data in the body of a DELETE request
Microservices Restful API - DTOs or not?
How does one specify a temp directory for file uploads in Spring Boot?
Custom Authentication Manager with Spring Security and Java Configuration
how to define package structure for a Spring REST MVC application?
Does Spring require all beans to have a default constructor?
Confused about how to handle CORS OPTIONS preflight requests
Spring boot could not resolve placeholder in string
How to @autowire some bean into JsonSerializer?
Jetty Annotation Timeout Reason

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!