Announcement Announcement Module
No announcement yet.
When I doing finger authentication, how do I put it in Spring Security. Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • When I doing finger authentication, how do I put it in Spring Security.

    I want to do finger authentication, and I have some questions and hopes if possible.

    Finger login behaves like below.

    1. There are three parameters on login.jsp. (id, finger print, and challenge)
    They are sent from IE browser to Java (tomcat).
    2. Java send XML(including id, finger print, and challenge) to finger authentication server, which is web service(soap).
    3. Java get result of authentication from finger authentication server,
    and display top page if it successes.

    My environment is
    Spring 2.5.6
    Spring Security 2.0.4

    Question is below:
    1.Spring Security can only get two parameters(id and password) from login.jsp.
    How do I get three or more parameters?
    I think that I have to customize AuthenticationProcessingFilter class. Is that right way? Or is there any other idea?

    2.If that is right way, I have another question.
    On customizing AuthenticationProcessingFilter class, I had to copy many steps of source.
    I think it is not efficient.
    Is there any other way?

    public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException {
    	String username = obtainUsername(request);
    	String password = obtainPassword(request);
    	String challenge = obtainChallenge(request);
    	if (username == null) {
    	    username = "";
    	if (password == null) {
    	    password = "";
    	username = username.trim();
    	//customize only this step, but copy all source of this method.-----------------------------------
    	FingerAuthenticationToken authRequest = new FingerAuthenticationToken(username, password, challenge);
    	// Place the last username attempted into HttpSession for views
    	HttpSession session = request.getSession(false);
    	if (session != null || getAllowSessionCreation()) {
    	    request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, TextUtils.escapeEntities(username));
    	// Allow subclasses to set the "details" property
    	setDetails(request, authRequest);
    	eturn super.getAuthenticationManager().authenticate(authRequest);

    3. If there are no way to get many parameters, would Spring Secrity add such function in the future?
    (Or is there no needs from other people?)

    Thank you.
    Last edited by soracane; Sep 28th, 2011, 12:31 AM.

  • #2
    Did you see the FAQ entry on this?

    PS: You may want to ensure you update to Spring 2.5.6.SEC03 and Spring Security 2.0.7.RELEASE to avoid a number of vulnerabilities that have been fixed.


    • #3
      Thank you for your reply and vulnerabilities information .
      I'm sorry , I didn't read FAQ.
      But is it for Spring Security 3.0 or later ?
      Is UsernamePasswordAuthenticationFilter class available since version 3.0?
      I'm using 2.0 , and username can contain any letters, so the way of FAQ dose not work.
      Updateing to 3.0 is difficult , because it needs many investigation and experimentation.

      But I see that if Spring Security is updated it probably resolves this problem.
      I will investigate Spring Security 3.0.

      Thank you.