Announcement Announcement Module
Collapse
No announcement yet.
Custom Authentication Provider + Cookies Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Custom Authentication Provider + Cookies

    Hi!

    I am developing a web spring application using Spring 3.1.
    The authentication in itself is done outside Spring via an old Cookie cgi code.
    This CGI is called via a url like (http://...login.cgi?returnUrl=http:/.../somePage.html).

    If the authentication is ok, an encrypted cookie is created and the user is redirected to the returnUrl.
    This 'somePage.html' part is variable and depends from where the user comes.
    If not, then stays on the same cgi login page.

    The CGI is responsible for
    • showing the username/password login form
    • creating an encrypted cookie
    • redirecting the user to its initial page if success

    I wanted to:
    • modify the entry point by extending LoginUrlAuthenticationEntryPoint to update the LoginFormUrl. This works fine.
    • add a pre_auth_filter extending AbstractPreAuthenticatedProcessingFilter to decode the cookie and return the authenticated principal if authenticated or empty string if not.

    How can I do this?

    Thanks in advance!
    Last edited by spring3User; Oct 10th, 2011, 09:30 AM.

  • #2
    LoginUrlAuthenticationEntryPoint works fine now but not the AbstractPreAuthenticatedProcessingFilter. Any ideas?
    Last edited by spring3User; Oct 10th, 2011, 09:30 AM.

    Comment


    • #3
      Here are my files :

      web.xml:
      Code:
          
          <filter>
              <filter-name>springSecurityFilterChain</filter-name>
              <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
          </filter>
          <filter-mapping>
              <filter-name>springSecurityFilterChain</filter-name>
              <url-pattern>/*</url-pattern>
          </filter-mapping>
      app-security.xml
      Code:
          <http auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
              <intercept-url pattern="/**" access="isAuthenticated()"/>
              <custom-filter position="PRE_AUTH_FILTER" ref="loginFilter"/>
          </http>
          <beans:bean id="loginUrlAuthenticationEntryPoint"
                      class="com.xxx.CGILoginUrlAuthenticationEntryPoint">
              <beans:property name="loginFormUrl" value='http://...cookie.cgi'/>
          </beans:bean>
          <beans:bean id="loginFilter" class="com.xxx.CookieAuthenticationProcessingFilter">
              <beans:property name="authenticationManager" ref="authenticationManager"/>
          </beans:bean>
      CookieAuthenticationProcessingFilter
      Code:
      public class CookieAuthenticationProcessingFilter extends AbstractPreAuthenticatedProcessingFilter {
          @Override
          protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
              CookieDecode cookieDecode = getDecodedFromCookie(request);
              if (!cookieDecode.isAuthorized()) {
                  return cookieDecode.getUser();
              } else {
                  return "";
              }
          }
      
          @Override
          protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
              CookieDecode cookieDecode = getDecodedFromCookie(request);
              if (!cookieDecode.isAuthorized()) {
                  return cookieDecode.getSessionAge();
              }
              return null;
          }
          ...
      }
      Code:
      CustomLoginUrlAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint {
          /**
           * @deprecated Use constructor injection
           */
          @Deprecated
          public CustomLoginUrlAuthenticationEntryPoint() {
              super();
          }
      
          public CustomLoginUrlAuthenticationEntryPoint(String loginFormUrl) {
              super(loginFormUrl);
          }
      
          @Override
          protected String determineUrlToUseForThisRequest(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) {
              String gotoUrl = request.getRequestURI();
              return getLoginFormUrl() + "&returnUrl=" + gotoUrl;
          }
      }
      What's missing?

      Comment


      • #4
        Originally posted by spring3User View Post
        The CGI is responsible for
        • showing the username/password login form
        • creating an encrypted cookie
        • redirecting the user to its initial page if success
        I would be careful about inventing your own protocols. I would try to stick to a standard protocol. You likely want to ensure that cookie is signed which differs from encryption.

        Originally posted by spring3User View Post
        I wanted to:
        • modify the entry point by extending LoginUrlAuthenticationEntryPoint to update the LoginFormUrl. This works fine.
        • add a pre_auth_filter extending AbstractPreAuthenticatedProcessingFilter to decode the cookie and return the authenticated principal if authenticated or empty string if not.
        Is the cookie even being passed to the application? Try using something like Tamper Data (a FireFox plugin) to determine this. In general, browser security prevents application application a from writing a cookie where application b can see it. That means this strategy is unlikely to work.

        Comment


        • #5
          Originally posted by rwinch View Post
          I would be careful about inventing your own protocols. I would try to stick to a standard protocol. You likely want to ensure that cookie is signed which differs from encryption.

          Is the cookie even being passed to the application? Try using something like Tamper Data (a FireFox plugin) to determine this. In general, browser security prevents application application a from writing a cookie where application b can see it. That means this strategy is unlikely to work.
          I'm forced to use this cookie mechanism.

          I have access to the cookie from my application. And actually my Spring architecture seems to work now.
          The class extending AbstractPreAuthenthicatedProcessingFilter decodes the cookie and getPreAuthenticatedPrincipal() returns a principal if a valid cookie is found, null otherwise.
          Then the class extending AuthenticationUserDetailsService creates a new UserDetails from the principal.

          The question I still have is how to manage sessions? Especially in which class can I manage the logout and the destruction of the cookie?

          Comment


          • #6
            Spring Security 3.1 provides the logout@delete-cookies attribute to remove cookies by a particular name. If you need to do other processing you will want to implement a LogoutHandler and wire that into the LogoutFilter.

            Comment

            Working...
            X