Using Spring Security 3 with cookies

Question

I have an application that is built in Java that requires authorization. However, the authentication piece is handled by a different/separate application (not in Java). The user logs in to the authentication app, and that app sets a cookie. If the user is authorized to access the Java app, they will be redirected by the authorization app to the Java app's URL.

I want to use Spring Security to verify/check the cookie before allowing access to the Java application. What's the best way to do this? The Java app should do below:

1. check to see if cookie exists
2. if cookie exists, validate cookie values with db. If not, send them to other app to login
3. if cookie is valid, show application. If not, send user to "authentication" app.

Any ideas?

Answer 1

You can do this by making your own UsernamePasswordAuthenticationFilter. Inside the filter you can check for the cookies you need. You should only need to override the attemptAuthentication() method. You have the request and response objects there so checking for the cookies should be easy.

You will also need to implement a UserDetailsService to check the user credentials with the database.

• This will help you on the custom filter.
• This is how to write a UserDetailsService.

Your namespace config should look something like this:

<http use-expressions="true" auto-config="false" entry-point-ref="yourEntryPointInApp1">

    <custom-filter position="FORM_LOGIN_FILTER" ref="myFilter" />
</http>
<authentication-manager>

    <authentication-provider user-service-ref="myDetailsService" />
</authentication-manager>

Also be careful not to use <formLogin> if you decide to implement the filter.