I wrote here because I cannot find a clear answer to my problem:
My project is using Spring MVC and Spring Security. I well installed both for a web application (of course using Java). I can access with post and get method, but only after the user has been connected via the usual form of Spring Security.
From now, the user do a request on an address like this:
../../get.request?request=getListCommand
where get.request is a mapping from Spring MVC. This access is enable only after the user has been authenticated!
What I need to do: Add the possibility to access directly to this request, without has been authenticated previously, using an address like this one for example:
http://123.123.123.123:123/get.request?request=getListCommand&j_password=myPassword&j_username=myName
or
same thing with the post protocol and the params given (request=getListCommand, j_password=myPassword, j_username=myName)
Of course the authentication will have to be done previously the request is performed and the result sent back.
I searched on many website or directly on the Spring security website. They talk about filterchaining, own user name authentication, RMI; but I don't really found a full example doing what I presented above.
Thanks for anyone than can help me that way.
ps: I use all default or the most simple configuration for Spring security (no fengshui' style :-))
Here is my securit context xml file
<http realm="NexCap Up"
auto-config="true"
access-denied-page="/www/jsp/authentication/accessDenied.jsp"
create-session="always"
disable-url-rewriting="true">
<port-mappings>
<port-mapping http="8084" https="8443"/>
</port-mappings>
<intercept-url pattern="/www/jsp/authentication/connexion.jsp"
access='IS_AUTHENTICATED_ANONYMOUSLY' requires-channel="https"/>
<intercept-url pattern="/www/jsp/authentication/connexionFailed.jsp"
access='IS_AUTHENTICATED_ANONYMOUSLY' />
<intercept-url pattern="/www/jsp/authentication/applicationExit.jsp"
access='IS_AUTHENTICATED_ANONYMOUSLY' />
<intercept-url
pattern="/get.Request"
method="GET"
access="ROLE_REMOTE" />
<intercept-url
pattern="/post.Request"
method="POST"
access="ROLE_REMOTE" />
<intercept-url pattern="/**"
access="ROLE_REMOTE,ROLE_SCRIPT" />
<form-login
authentication-failure-url="/www/jsp/authentication/connexionFailed.jsp"
login-page="/www/jsp/authentication/connexion.jsp"
default-target-url="/www/jsp/index.jsp"
always-use-default-target="true"/>
<logout
logout-success-url="/www/jsp/authentication/applicationExit.jsp"
invalidate-session="true"/>
<session-management
invalid-session-url="/www/jsp/authentication/invalidSession.jsp"
session-authentication-error-url = "/www/jsp/authentication/authentificationError.jsp"
session-fixation-protection="none">
<!-- Sessions concurrentes -->
<concurrency-control
error-if-maximum-exceeded="false"
expired-url="/www/jsp/authentication/sessionExpired.jsp"
max-sessions="1" />
</session-management>
</http>
And the part of the web.xml file about the spring security
<security-constraint>
<web-resource-collection>
<web-resource-name>Security</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<filter>
<display-name>springSecurityFilterChain</display-name>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/secu-config.xml
</param-value>