Announcement Announcement Module
No announcement yet.
Bypass login page Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Bypass login page

    I've been given an application which uses Spring Security and would like to know how I can bypass the login page. I have a Filter which adds a Kerberos key object after successfull AD authentication. Now since there was no handover I have no idea how to bypass the login page.

    The application is setup as follows:
    1. Proxy login (not part of application)
    2. My AD authentication filter
    3. Login page (need to bypass)
    4. Main page with user views.

    Please assist. This is the spring security config file...

    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns=""
        <security:http auto-config="false" entry-point-ref="authenticationEntryPoint">
            <security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
            <security:intercept-url pattern='/cxf/**' access='ROLE_USER'/>
            <security:logout invalidate-session="true" logout-url="/cxf/portal/login/end" success-handler-ref="logoutHandler"/>
        <bean id="logoutHandler" class="">
            <constructor-arg ref="sessionCache"/>
            <property name="defaultTargetUrl" value="/index.html"/>
        <bean id="authenticationEntryPoint" class="">
            <property name="loginFormUrl" value="/index.html"/>
        <bean id="authenticationFilter" class="">
        	<property name="authenticationManager" ref="authenticationManager"/>
        	<property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
        	<property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"/>
    	<property name="filterProcessesUrl" value="/cxf/portal/login"/>
        	<property name="usernameParameter" value="username"/>
        	<property name="passwordParameter" value="password"/>
        	<property name="postOnly" value="false"/>
        	<property name="allowSessionCreation" value="true"/>
        	<property name="sessionAuthenticationStrategy" ref="sessionAuthenticationStrategy"/>
        <bean name="sessionAuthenticationStrategy" class="">
        	<property name="alwaysCreateSession" value="true"/>
        <bean id="authenticationSuccessHandler" class=""/>
        <bean id="authenticationFailureHandler" class=""/>
        <security:authentication-manager alias="authenticationManager">
        	<security:authentication-provider ref="authenticationProvider"/>
        <bean id="authenticationProvider" class="">
        	<constructor-arg index="0" ref="sessionCache"/>
        <bean id="authenticationDetailsSource" class="">
        	<property name="clazz" value=""/>

  • #2
    There is are a few sample configurations for Kerberos in the Kerberos extension that may help you get started. For more info on the Kerberos extension you can see Mike's blog post. Keep in mind that the latest release does not support Spring Security 3.1. This is documented in SES-98


    • #3
      Thanks rwinch but I'm already using an internal library for AD. The user is already authenticated by the time he reaches my login page. All I need to do is bypass Spring Security authentication, i.e. the login page.


      • #4
        It sounds like you might be interested in the Pre-Authentication Scenarios chapter then. Alternatively, the simplest way to indicate that the user is authenticated is to set an Authentication on the SecurityContextHolder.getContext(). In short, if the user had authenticated via Kerberos you would ensure to set an Authentication on the SecurityContext. You can find more information on this in the reference.


        • #5
          Thanks. Setting the authentication object in the SecurityContext helped me resolve the problem.