All geek questions in one place

User Password Authentication in Spring Security

I am trying to do a simple username and password authentication in a Spring Security web application. I have a web service that authenticates by passing username / password and returns the role. Then I need to save the password for future web service calls.

My application was originally created using the Fuse application, so it had JDBC based authentication. I tore this up, but I'm not sure how to add my own authentication.

The documentation says that "simple" is added to such a mechanism . But the sample application is a hello-world command-line program, not a web application. I cannot find an example of username and password authentication in a web application.

My XML file has the following:

<beans:bean id="myProvider" class="com.example.MyProvider"></beans:bean> <authentication-manager> <authentication-provider ref="myProvider"></authentication-provider> </authentication-manager>

I do not know if this place is suitable for entering my authentication, and I am not sure which interface to implement. I think I might need to implement AuthenticationManager . And I could use a UsernamePasswordAuthenticationToken .

How to connect it all together?

+4
source share
3 answers

Now it works for me. Thank you all for your help. I had to add a new authentication provider and connect it to the Authentication Manager. Here is what I added:

 <beans:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager"> <beans:property name="providers"> <beans:list> <beans:ref local="myAuthenticationProvider"/> </beans:list> </beans:property> </beans:bean> <beans:bean id="myAuthenticationProvider" class="com.example.MyAuthenticationProvider"> </beans:bean> <authentication-manager> <authentication-provider ref="myAuthenticationProvider"/> </authentication-manager>

and MyAuthenticationProvider (taken from the example):

 public class AConnexAuthenticationProvider implements AuthenticationProvider { static final List<GrantedAuthority> AUTHORITIES = new ArrayList<GrantedAuthority>(); static { AUTHORITIES.add(new GrantedAuthorityImpl("ROLE_USER")); } @Override public Authentication authenticate(Authentication auth) throws AuthenticationException { return new UsernamePasswordAuthenticationToken(auth.getName(), auth.getCredentials(), AUTHORITIES); } @Override public boolean supports(Class<? extends Object> paramClass) { return true; } }

I will add the actual verification of the username or password later; it just lets anyone.

+4
source

This is my security.xml where. Look at the user configuration. I just added a controller to handle the paths and it works great.

 <http auto-config="true"> <intercept-url pattern="/admin/**" access="IS_AUTHENTICATED_REMEMBERED"/> <intercept-url pattern="/welcome/**" access="IS_AUTHENTICATED_REMEMBERED" /> <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <form-login login-page="/login" /> <logout logout-success-url="/" logout-url="/logout" /> <!-- Limits the number of concurent sessions a user can have <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/> --> </http> <!-- Usernames/Passwords are rod/koala dianne/emu scott/wombat --> <authentication-manager> <authentication-provider> <password-encoder hash="md5"/> <user-service> <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" /> <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" /> <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager>

Remember to add to your web.xml

 <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener>

It works for me :)

+2
source

Your provider should implement UserDetailsService and override

 public UserDetails loadUserByUsername(String username)

to return a UserDetails object. This is an interface that you can implement on any of your "user" objects. This requires several methods to override, but decisive from your point of view is

 public Collection<GrantedAuthority> getAuthorities()

which you implement to return a list of your roles.

+1
source

Source: https://habr.com/ru/post/1390470/

More articles:


All Articles