1

Hi all I have a huge issue in my project.

I have configured my project to use Java EE Security for Authentication and Spring Security for authorization using spring Pre Authentication.

After the Java EE login the application comes to the pre-authentication filter classes where i set the granted authorities. But after that without navigating to my home page the application triggers me to login again through Java EE container security. IF i login the second time it navigates to the home page of the application. I want to get rid of this second login.

I'm using vaadin for UI. Following are my classes

web.xml
-------------------------------------------------------------------
<security-constraint>
        <display-name>SecureApplicationConstraint</display-name>
        <web-resource-collection>
            <web-resource-name>Vaadin application</web-resource-name>
            <description>The entire Vaadin application is                          
                                                               protected</description>
            <url-pattern>/application/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
                <description>Only valid users are allowed</description>
            <role-name>authenticated</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/login.jsp</form-error-page>
        </form-login-config>
    </login-config>

    <security-role>
        <description />
        <role-name>authenticated</role-name>
    </security-role>

=====================================================================
security.xml
======================================================================
 <sec:http realm="My Realm" auto-config='true' create-session="ifRequired" disable-url-rewriting="true">
    <sec:intercept-url pattern="/application/**" access="ROLE_XXXUSER"/>   
    <sec:custom-filter ref="myPreAuthFilter" position="PRE_AUTH_FILTER"/>  
    <sec:session-management session-fixation-protection="newSession"/>
  </sec:http>

  <sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref='preAuthenticatedAuthenticationProvider'/>
  </sec:authentication-manager>

  <bean id="myPreAuthFilter" 
       class="com.xxx.yyy.web.security.xxxPreAuthenticatedProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
    <property name="continueFilterChainOnUnsuccessfulAuthentication" value="false"/>
  </bean>

  <bean id="authenticationDetailsSource" 
           class="com.xxx.yyy.web.security.xxxAuthenticationDetailsSource" />

  <bean id="authenticationManager" 
          class="org.springframework.security.authentication.ProviderManager">
    <constructor-arg>
      <list>
        <ref bean="preAuthenticatedAuthenticationProvider"/>
      </list>
    </constructor-arg>
  </bean>

  <bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
  </bean>

  <bean id="preAuthenticatedUserDetailsService" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService"/>

</beans>
Grzegorz Rożniecki
  • 27,415
  • 11
  • 90
  • 112
Ruchiranga Arosha
  • 11
  • 1
  • What realm you use in Tomcat (conf\server.xml)? BTW, generally form-error-page configured to other page than form-login-page Do you use J2eePreAuthenticatedProcessingFilter? – Michael Mar 18 '13 at 09:29

0 Answers0