All geek questions in one place

How to force re-authenticate credentials in Spring Security?

I would like to forcibly re-authenticate credentials before allowing particularly sensitive actions in my web application, such as adding a signature to a dataset.

The scenario is that the user has already logged in, clicks to add his signature to the data, and receives fields indicating their credentials, which are then transmitted along with the server for authentication. Failure will not affect the input status, just reject the action.

I am using the Grails spring -security plugin and authenticating against LDAP (spring -security-ldap), but I assume that the solution will not depend on these exact details.

I have server-side username and password values ​​(controller / servlet), how can I authenticate these new credentials?

+4
source share
1 answer

You can reuse user credentials and infrastructure Spring Securityin your controller without using current authentication. Basically, your application requests a username and password through a simple form and verifies it with authenticationManager. Depending on the result, you can continue your application logic or do something else.

authenticationManager Spring MVC. , Grails. , , Java Spring MVC. JSPs .

( "" ).

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.servlet.ModelAndView;

import java.util.Map;

@Controller
@RequestMapping("approval")
public class ApprovalController {

    @Autowired
    private AuthenticationManager authenticationManager;

    @RequestMapping(value="confirm.do", method = RequestMethod.GET)
    public String get() {
        return "approval/confirm";
    }

    @RequestMapping(value="confirm.do", method = RequestMethod.POST)
    public String post(@ModelAttribute ApprovalRequestForm form, Map<String, Object> model, Authentication authentication) {
        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(form.getUsername(), form.getPassword());
        Authentication authenticate = authenticationManager.authenticate(token);

        if(authenticate.isAuthenticated() && isCurrentUser(authentication, authenticate)) {
            //do your business
            return "approval/success";
        }

        model.put("reason", "credentials doesn't belong to current user");
        return "approval/denied";
    }

    private boolean isCurrentUser(Authentication left, Authentication right) {
        return left.getPrincipal().equals(right.getPrincipal());
    }

    @ExceptionHandler(Exception.class)
    public ModelAndView handleException(Exception exception) {
        ModelAndView model = new ModelAndView("approval/denied");
        model.addObject("reason", exception.getMessage());
        return model;
    }

    public static class ApprovalRequestForm {
        private String username;
        private String password;

        public String getUsername() { return username; }
        public void setUsername(String username) { this.username = username; }
        public String getPassword() { return password; }
        public void setPassword(String password) { this.password = password; }
    }
}
+5

Source: https://habr.com/ru/post/1544824/

More articles:


All Articles