0

I've been asked to modify a web app built in Java EE+Spring+Hibernate to provide security with Spring Security.

I haven't worked with Spring Security before, I've read the documentation but I don't see the proper way to make it work.

We have a login page that has another page embedded which has the actual login form, that form calls another web app's login action and calls one of our app's method with the result of the login. (The login page that is embedded is part of the "foreign" web app that handles the login).

I don't get how I'm supposed to configure Spring Security. I guess this is a pre-authentication scenario, but I don't have any clue how should I get this to work.

This is my security-context.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <!-- preauthentication -->    
    <security:global-method-security pre-post-annotations="enabled">
    </security:global-method-security>

   <security:http auto-config="false" use-expressions="true" entry-point-ref="http403EntryPoint" access-denied-page="/403.jsp">
        <security:intercept-url pattern="/" access="permitAll"/>
        <security:intercept-url pattern="/403.jsp" access="permitAll"/>
        <security:intercept-url pattern="/gestion/**" access="permitAll"/>
        <security:intercept-url pattern="/consulta/**" access="hasRole('ROLE_ADMIN')"/>
        <security:intercept-url pattern="/importacion/**" access="hasRole('ROLE_ADMIN')"/>
        <!-- Allow non-secure access to static resources  -->
        <security:intercept-url pattern="/resources/**" access="permitAll"/>

        <security:logout logout-success-url="/"/>
    </security:http>

    <bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
    </bean>

    <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
        <security:filter-chain-map path-type="ant">
            <security:filter-chain pattern="/**" filters="j2eePreAuthFilter"/>
        </security:filter-chain-map>
    </bean>


    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref='preAuthenticatedAuthenticationProvider'/>
    </security:authentication-manager>

    <bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
        <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
    </bean>

    <bean id="preAuthenticatedUserDetailsService"
            class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService"/>


    <bean id="j2eePreAuthFilter" class="es.myapp.security.MyUserJ2eePreAuthenticatedProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
        <property name="continueFilterChainOnUnsuccessfulAuthentication" value="false"/>
    </bean>

  <bean id="authenticationDetailsSource" class="org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource">
    <property name="mappableRolesRetriever" ref="j2eeMappableRolesRetriever"/>
    <property name="userRoles2GrantedAuthoritiesMapper" ref="j2eeUserRoles2GrantedAuthoritiesMapper"/>
  </bean>

  <bean id="j2eeMappableRolesRetriever" class="org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever">
  </bean>

   <bean id="j2eeUserRoles2GrantedAuthoritiesMapper" class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">
    <property name="attributePrefix" value="test"/>
  </bean>


</beans>

And my web.xml

<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

    <display-name>Aplicación Web</display-name>

    <!-- Define la localización de los ficheros de configuración de Spring -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/classes/applicationContext.xml
        </param-value>
    </context-param>

    <!-- Reads request input using UTF-8 encoding -->
    <filter>
        <filter-name>characterEncodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
        <init-param>
            <param-name>forceEncoding</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>

    <filter-mapping>
        <filter-name>characterEncodingFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter>
        <filter-name>myUserJ2eePreAuthenticatedProcessingFilter</filter-name>
        <filter-class>es.myapp.security.MyUserJ2eePreAuthenticatedProcessingFilter</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>myUserJ2eePreAuthenticatedProcessingFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <!-- Handles all requests into the application -->
    <servlet>
        <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
        <servlet-class>es.myapp.controller.MyDispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/servlet-context.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <!-- del. welcome files -->
    <!-- useful for Servlet 3 container (Tomcat 7 and Jetty 6) -->
    <welcome-file-list>
        <welcome-file></welcome-file>
    </welcome-file-list>

    <!-- Referencia a recursos jndi WAS -->
    <resource-ref id="ResourceRef_XISCO">
        <res-ref-name>jdbc/myapp</res-ref-name>
        <res-type>javax.sql.DataSource</res-type>
        <res-auth>Container</res-auth>
        <res-sharing-scope>Shareable</res-sharing-scope>
    </resource-ref>

</web-app>
diminuta
  • 1,545
  • 8
  • 32
  • 55
  • 1
    When you say J2EE (note it's now JEE), what exactly do you mean? Are you using SpringMVC? Spring Security just disallows access to certain urls or services based on the users authentication level. Have a read of http://static.springsource.org/spring-security/site/tutorial.html – David Aug 20 '12 at 10:52
  • What is your question? What did you tried? Please be more specific. – Grzegorz Rożniecki Aug 20 '12 at 11:57
  • 1
    Do you mean Spring security 2 or 3? A big difference. – Adriaan Koster Aug 20 '12 at 12:38
  • I've just edited my original question so you can see my security-context.xml and web.xml contents. – diminuta Aug 22 '12 at 08:44

1 Answers1

2

on sucessful login from another application when method is invoked in login caller application . you should build authentication object and set for security context holder. 

    UserDetails user = userDetailsManager.loadUserByUsername(username);
    Authentication auth = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
    SecurityContextHolder.getContext().setAuthentication(auth);

not sure this is best way to do but this might solve your problem.

Jigar Parekh
  • 6,163
  • 7
  • 44
  • 64
  • I'm using Spring MVC. I tried several "configurations" in my security-context.xml but none of them worked. I mean Spring Security was up and running but the filters and services I developed were ignored... I mean, I secured some urls and when I tried to enter those urls I was redirected to the 403 page without entering the filter that was supposed to check my credentials... – diminuta Aug 22 '12 at 08:25
  • I'd post one of those configurations so you can tell me what I'm doing wrong. I haven't already posted it because I was wondering if you could point some example I could follow... – diminuta Aug 22 '12 at 08:29
  • Oh, and it's Spring Security 3 – diminuta Aug 22 '12 at 08:30
  • I've tried this, but it won't work... I think the problem is that I've missed something about the configuration... I've put breakpoints in the filter, and service and while debugging it doesn't go through the filter... and I can enter secured pages despite I don't have the authorised role... – diminuta Aug 24 '12 at 12:40
  • Now if I secure the methods with @preauthorize it works, what doesn't work is the jsp filtering... thanx! – diminuta Aug 24 '12 at 13:01