简单的Spring MVC +安全设置

Question

I am trying to set up a simple spring mvc / spring security webapp, but I can't seem to find the way to accomplish this:

1. I'd like to use the normal @Secured annotations, and if the user isn't logged in I'd like them to be redirected to the login page, and back to where they were (this is normal behaviour which I've managed to accomplish)
2. I'd like the login form to be my own controller/template pair (also common and accomplished).
3. I'd like the login form above to submit to my own controller which will authenticate the user credentials against my backend restful service. It then receives a security token back from the service. At this point I'd like to manually flag the session as authenticated authenticated and attach the token to it.

How do I go about implementing the last stage?

Answer 1

I am not sure if I understand your question fully, but if I understand it correctly, you can perhaps extend AbstractPreAuthenticatedProcessingFilter and override getPreAuthenticatedPrincipal and getPreAuthenticatedCredentials with calls to your restful service/controller etc. The override AuthenticationUserDetailsService and probide a simple service, and add that your security context, like this:

<beans:bean id="preauthAuthProvider"
            class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <beans:property name="preAuthenticatedUserDetailsService">
        <beans:bean class="com.YourCompany.YourPreAuthenticatedGrantedAuthoritiesUserDetailsService"></beans:bean>
    </beans:property>
    <beans:property name="order" value="1"/>
</beans:bean>


<authentication-manager alias="authenticationManager" >
    <authentication-provider ref="preauthAuthProvider" ></authentication-provider>
</authentication-manager>

Answer 2

OK the answer is basically:

SecurityContextHolder.getContext().setAuthentication(...)

However to be able to use it in the scenario I described above where the Spring MVC controller controls the authentication process, a few other things need to be done:

1. You must either use one of the available Impls of Authentication or create one. I found it best to subclass AbstractAuthenticationToken.

2. Spring security won't start up without an authentication manager which isn't used in this scenario, so I created a null authentication manager:

    @Service("nullAuthenticationProvider") public class NullAuthenticationProvider implements AuthenticationProvider { @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { return authentication; } @Override public boolean supports(Class<?> authentication) { return true; } } 

3. And finally the spring context.xml:

    <security:global-method-security secured-annotations="enabled" /> <security:http disable-url-rewriting="true"> <security:access-denied-handler error-page="/login" /> <security:form-login login-page="/login" /> </security:http> <security:authentication-manager> <security:authentication-provider ref='nullAuthenticationProvider'/> </security:authentication-manager>