Announcement Announcement Module
Collapse
No announcement yet.
Spring Security access to a request, without pre-authentication, from remote access Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security access to a request, without pre-authentication, from remote access

    I wrote here because I cannot find a clear answer to my problem:

    My project is using Spring MVC and Spring Security. I well installed both for a web application (of course using Java). I can access with post and get method, but only after the user has been connected via the usual form of Spring Security.

    From now, the user do a request on an address like this:

    Code:
    ../../get.request?request=getListCommand
    where get.request is a mapping from Spring MVC. This access is enable only after the user has been authenticated!

    What I need to do: Add the possibility to access directly to this request, without has been authenticated previously, using an address like this one for example:

    Code:
    http://123.123.123.123:123/get.request?request=getListCommand&j_password=myPassword&j_username=myName
    or

    Code:
    same thing with the post protocol and the params given (request=getListCommand, j_password=myPassword, j_username=myName)
    Of course the authentication will have to be done previously the request is performed and the result sent back.

    I searched on many website or directly on the Spring security website. They talk about filterchaining, own user name authentication, RMI; but I don't really found a full example doing what I presented above.

    Thanks for anyone than can help me that way.

    ps: I use all default or the most simple configuration for Spring security (no fengshui' style :-))

  • #2
    Reconsider, that isn't something you want... Unless you want to have a security hole in your application (adding the username/password as request parameters is a security hole).

    But alas if you don't care create your own filter (based of the UsernamePasswordAuthenticationFilter) and modify it to authenticate each incoming request (if needed).

    Comment


    • #3
      Originally posted by Marten Deinum View Post
      Unless you want to have a security hole in your application (adding the username/password as request parameters is a security hole).
      If I'm right (And I'm not an expert in security), at a time or another, the username/password has to be sent to the server, isn't it? Maybe that way is not the best, but due time/poor of knowledge about it and because for an intranet of few computer, we don't need better security.

      Thanks for answer, setting me on a way to resolve the problem. What you said (UsernamePasswordAuthenticationFilter) is something I already read. If you have more sample/information about how to do that, it will good.

      I add my actual xml files config

      secu.xml

      Code:
      <http realm="NexCap Up"
                  auto-config="true"
                  access-denied-page="/www/jsp/authentication/accessDenied.jsp"
                  create-session="always"
                  disable-url-rewriting="true">          
                      <port-mappings>
                          <port-mapping http="8084" https="8443"/>
                      </port-mappings>        
                      
                      <intercept-url pattern="/www/jsp/authentication/connexion.jsp"                    
                          access='IS_AUTHENTICATED_ANONYMOUSLY' requires-channel="https"/>
                          
                      <intercept-url pattern="/www/jsp/authentication/connexionFailed.jsp" 
                          access='IS_AUTHENTICATED_ANONYMOUSLY'  />
      
                      <intercept-url pattern="/www/jsp/authentication/applicationExit.jsp" 
                          access='IS_AUTHENTICATED_ANONYMOUSLY'  /> 
                          
                       
                    <intercept-url 
                          pattern="/get.Request" 
                          method="GET"
                          access="ROLE_REMOTE" />
                                              
                       <intercept-url 
                          pattern="/post.Request"  
                          method="POST"
                          access="ROLE_REMOTE" />
                   
                      <intercept-url pattern="/**" 
                          access="ROLE_REMOTE,ROLE_SCRIPT"  />
                 <form-login 
                      authentication-failure-url="/www/jsp/authentication/connexionFailed.jsp"
                      login-page="/www/jsp/authentication/connexion.jsp"
                      default-target-url="/www/jsp/index.jsp"
                      always-use-default-target="true"/>
                      
                  <logout
                      logout-success-url="/www/jsp/authentication/applicationExit.jsp"
                      invalidate-session="true"/>
                         
                  <session-management
                      invalid-session-url="/www/jsp/authentication/invalidSession.jsp"
                      session-authentication-error-url = "/www/jsp/authentication/authentificationError.jsp"
                      session-fixation-protection="none">
      
                      <!-- Sessions concurrentes -->
                      <concurrency-control 
                          error-if-maximum-exceeded="false"
                          expired-url="/www/jsp/authentication/sessionExpired.jsp"
                          max-sessions="1" />
      
                  </session-management>
                         
              </http>

      web.xml

      Code:
      <security-constraint>
              <web-resource-collection>
                  <web-resource-name>Security</web-resource-name>
                  <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
          </security-constraint>
      
      
          <filter>
            <display-name>springSecurityFilterChain</display-name>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>
                org.springframework.web.filter.DelegatingFilterProxy
            </filter-class>
         </filter>
         
         <!-- Toutes  les requetes soumises au filtre -->
         <filter-mapping>
             <filter-name>springSecurityFilterChain</filter-name>
             <url-pattern>/*</url-pattern>
         </filter-mapping>
         
         <!--Fichier de configuration de contexte sÚcuritÚ -->
         <context-param>
             <param-name>contextConfigLocation</param-name>
             <param-value>
                 /WEB-INF/spring/secu-config.xml
             </param-value>
         </context-param>
      THANKS

      Comment


      • #4
        The username/password has to be send to the server but If I hack your internet connection and sit in between (man in the middle) or stand behind you I can read your username/password... Also no matter if it is intranet or not you should always have security in mind and this in my book isn't secure and certainly wouldn't pass auditing.

        Originally posted by phoenix2
        Thanks for answer, setting me on a way to resolve the problem. What you said (UsernamePasswordAuthenticationFilter) is something I already read. If you have more sample/information about how to do that, it will good.
        I already gave you that information...

        Originally posted by mdeinum
        But alas if you don't care create your own filter (based of the UsernamePasswordAuthenticationFilter) and modify it to authenticate each incoming request (if needed).
        Which methods to override I leave to you as an excercise (check the source code and read the javadocs shouldn't be that hard).

        Comment

        Working...
        X