Spring Security Servlet登录

Question

I have an existing web application that is covered by spring security. I need to add a servlet (or a generic endpoint) that works this way:

• It receives a POST with a json
• It processes the data
• Performs the authentication
• Returns a response with other data.

I've read the documentation about spring security ( http://docs.spring.io/spring-security/site/docs/3.0.x/reference/springsecurity.html ) but I'm a bit confused on how and where implement my code. I was thinking about using a custom filter in phase 4: UsernamePasswordAuthenticationFilter . However, I'm not really sure because if I understand the framework correctly, the filter is applied to every request, and I need to login only once, and then to be accepted as authenticated.

Is the filter the right way or are there better methods?

Answer 1

When writing a web service, it is preferable that the client is re-authorized every request. Meaning that the client has to pass their credentials (username/password) every time.

BTW, if you're writing a web service it might be preferable to to use the BasicAuthenticationEntryPoint over ssl instead of the UsernamePasswordAuthenticaitonFilter.

But, to answer your question fully, we used a security/http pattern matcher to do the trick.

<security:http pattern="/api/**" create-session="stateless" access-decision-manager-ref="unanimousBased" entry-point-ref="authenticationEntryPoint" >
    <security:intercept-url pattern="/api/**" access="IS_AUTHENTICATED_FULLY,group_User_role_default" />
    <security:custom-filter ref="basicAuthenticationFilter" after="BASIC_AUTH_FILTER" />
</security:http>

<bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>

<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
    <property name="realmName" value="api" />
</bean>

Finally, it is generally better to authorize first before processing the data. It seem strange that the data would be processed, then check the authorization to see if the response can be sent, but maybe that is just me.