Spring security authorization without authentication

StackOverflow https://stackoverflow.com/questions/22993491

Question

I have a Java JSF 2, Spring 3, Hibernate 4 Java EE Application which uses a third party library to authenticate the users. I imported the required CA certs into my JVM, added the third library to the project and configured in web.xml. The library reads the users details from smart card. This whole setup is working and users are taken to the home page by the third party library.

Here are my requirements to secure the application.

  • Check one more time if the user exist in the application specific database
  • Get the roles of that user from the application database
  • Protect my JSF pages
  • Protect my application services

I looked at this link and it seems "AuthenticationProcessingFilter" is deprecated and not applicable for Spring 3!

http://codersatwork.wordpress.com/2010/02/13/use-spring-security-for-authorization-only-not-for-authentication/

I also looked this one but I did not understand what other steps/configuration is needed.

spring-security: authorization without authentication

I would really appreciate if someone can outline what are all the items I need to implement Spring Security with Authorization only. This is what I came up with.

1) Update pom with spring 3 security, add a filter (which filter I should pick)

2) Custom User Detail

3) Custom DaoAuthenticationProvider

4) register this custom authentication provider in application-context.xml

5) register access decision managers for authorization

Was it helpful?

Solution

The base Spring Security classes suited for this use-case are org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter and org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider.

In case your current authentication library results in the user being authenticated in the standard Java EE way (i.e. calls to getUserPrincipal() on HttpServletRequest instance return the authenticated user's Principal) the things you need to do should be similar to:

  1. Implement interface org.springframework.security.core.userdetails.UserDetailsService which checks that the user exists in your application database and throws UsernameNotFoundException if it doesn't

  2. Add the following settings for the Spring Security:

    <!-- Declare the user details for database check -->
<bean id="userDetails" class="com.yourpackage.DatabaseUserDetails"/>

<!-- Default empty auth manager -->
<security:authentication-manager alias="authenticationManager"/>

<!-- Use default settings from the jee namespace -->
<security:http>
    <security:jee mappable-roles="IS_AUTHENTICATED_FULLY" user-service-ref="userDetails"/>
</security:http>

  3. Configure your Spring Security to perform authorization based on your requirements

The security:jee initializes both a filter and authentication provider and plugs your user-service to the provider.

In case your current authentication library doesn't use Java EE mechanisms, you will need to implement your own subclass of the AbstractPreAuthenticatedProcessingFilter which knows how to recognize that the user has authenticated.

You would then replace the default pre-auth filter with your own, so the configuration would look like:

<!-- Declare the user details for database check -->
<bean id="userDetails" class="com.yourpackage.DatabaseUserDetails"/>

<!-- Define provider -->
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
  <bean id="userDetailsServiceWrapper"
      class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
    <property name="userDetailsService" ref="userDetails"/>
  </bean>
</property>
</bean>

<!-- Define alias for the authentication manager -->
<authentication-manager alias="authenticationManager">
   <security:authentication-provider ref="preauthAuthProvider" />
</authentication-manager>

<!-- Declare the custom filter -->
<bean id="authenticationFilter" class="com.yourpackage.AuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
</bean>

<security:http>
    <security:custom-filter ref="authenticationFilter" position="PRE_AUTH_FILTER"/>
</security:http>

You can find some more details in Spring Security documentation.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top