0

Greetings StackOverflow! Longtime reader, first time contributor.

I'm working on a personal project that will allow a logged-in user to store encrypted notes to themselves or family members. After much research, I decided to implement a surrogate key approach, where each user is assigned a surrogate key upon creation of their account.

This surrogate key is encrypted and stored in the database... and is decrypted using the user's password upon login. The resulting clear surrogate key is then used for all encryption activity in their profile.

My issue is capturing the user's password during login while using an implementation of Spring Security per this tutorial:

Spring Boot MVC Spring Security Tutorial

My SecurityConfig class looks like this:

    /*
 * (non-Javadoc)
 * 
 * @see org.springframework.security.config.annotation.web.configuration.
 * WebSecurityConfigurerAdapter#configure(org.springframework.security.
 * config.annotation.web.builders.HttpSecurity)
 */
@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/login").permitAll()
            .antMatchers("/registration").permitAll().antMatchers("/accountverification/**").permitAll()
            .antMatchers("/secure/**").hasAuthority("MEMBER").anyRequest().authenticated().and().formLogin()
            .loginPage("/login").failureUrl("/login?error=true").defaultSuccessUrl("/secure/notes")
            .usernameParameter("email").passwordParameter("password").and().logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/").and()
            .exceptionHandling().accessDeniedPage("/access-denied");
}

And my login.html page like this (the important part):

<form th:action="@{/login}" method="POST" class="form-signin">

If I'm understanding things correctly, the login.html page is posting to /login, which is defined in my SecurityConfig class (above). Login itself works wonderfully.

However, this automatically bypasses the part of my flow where I'd decrypt that surrogate key. So, I first tried posting to a separate controller then forwarding that request on to /login. No dice.

I then tried extending HandleInterceptorAdapter, but found that the password at this point was still always null. That led me to this post:

UserDetails getPassword returns null in spring security 3.1...

... but that struck me as hackey.

So, in the end, I'm still wondering how I might go about grabbing the password during the post of a login screen for temporary use of decrypting a user's surrogate key... then when the decryption is done and login completes... destroying it.

Any help is appreciated!

Powdered Toast Man
  • 1
  • 3

1 Answers1

-1

I knew this would happen... as soon as I post some fancy question on StackOverflow I'd figure it out.

I'm not sure it's the most elegant solution, but it works. I'm certainly open to alternatives.

I added this method to my login controller:

/**
 * @return
 */
@RequestMapping(value = { "/loginProcessor" }, method = RequestMethod.POST)
public String loginProcessor(@ModelAttribute Login login) {
    System.out.println("PASSWORD: " + login.getPassword());
    return "forward:/login";
}

I then adjusted login.html to post to it, instead of to /login:

<form th:action="@{/loginProcessor}" method="POST" class="form-signin">

And I updated my SecurityConfig to accommodate both paths:

/*
 * (non-Javadoc)
 * 
 * @see org.springframework.security.config.annotation.web.configuration.
 * WebSecurityConfigurerAdapter#configure(org.springframework.security.
 * config.annotation.web.builders.HttpSecurity)
 */
@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/loginProcessor").permitAll()
            .antMatchers("/login").permitAll().antMatchers("/registration").permitAll()
            .antMatchers("/accountverification/**").permitAll().antMatchers("/secure/**").hasAuthority("MEMBER")
            .anyRequest().authenticated().and().formLogin().loginPage("/login").failureUrl("/login?error=true")
            .defaultSuccessUrl("/secure/notes").usernameParameter("email").passwordParameter("password").and()
            .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/").and()
            .exceptionHandling().accessDeniedPage("/access-denied");
}

Et, voila! The password printed, I was logged in and redirected to my profile page. Is there a better way?

Powdered Toast Man
  • 1
  • 3