I currently have a setup that looks something like this:
<http auto-config="true">
<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login"
default-target-url="/main.html"
authentication-failure-url="/failedLogin"/>
<logout logout-url="/logout.html" logout-success-url="/login" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="foo" password="bar" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
This all seems to work as expected, however, in special situations I want the login page to be bypassed if the user passes in a special token. So currently, if the user goes to a url such as /dog
, they will see the login page and if they pass in the credentials of foo/bar
then they will be logged in and see the page corresponding to /dog
.
I want the ability to use a URL such as /dog?token=abcd
which will bypass the login screen and take them directly to the page corresponding to /dog
. If they provide an invalid token then they would just see an access denied page.
In Spring Security the scenario you want to cover is described in reference manual, chapter Pre-Authentication Scenarios .
Basically you have to:
AbstractPreAuthenticatedProcessingFilter
or choosing one of its implementations, <custom-filter position="PRE_AUTH_FILTER" ref="yourPreAuthFilter" />
, AuthenticationUserDetailsService
s, PreAuthenticatedAuthenticationProvider
(with <property name="yourPreAuthenticatedUserDetailsService">
). EDIT : In this answer OP shows his way of implementig custom PRE_AUTH_FILTER
.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.