Announcement Announcement Module
Collapse
No announcement yet.
Authentication with RESTEasy + Spring Security Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authentication with RESTEasy + Spring Security

    I'm trying to create a method authentication with RESTEasy.

    My URLs REST are mapped with con Spring Security

    I want to know how Spring Security can to recognize to authenticated user...

    I've created a login URL and login method in a service class. This method is used in my web application and call other method that return true o false

    Code:
    @Path("/service/login")
    public class LoginService {
    	private UsuarioBusiness usuarioBusiness;
    	
    	@GET
    	@Path("/go/{user}/{pass}")
    	@Produces("application/json")
    	public Response login(@PathParam("user") String usuario, @PathParam("pass") String pass){
              //call other method
    	}
    }
    Code:
    //Other method
    public boolean login(String username, String password) {
    
    		try {
    			Authentication authenticate = authenticationManager.authenticate(
    					new UsernamePasswordAuthenticationToken(username, password));
    			if (authenticate.isAuthenticated()) {
    				SecurityContextHolder.getContext().setAuthentication(authenticate);	
    				return true;
    			}
    		} catch (AuthenticationException e) {	
    			System.out.println("Error en login");
    		}
    		return false;
    	}
    But this only serves for that the app that call login service redirect to the homepage application. When the app want to access to other URL is rejected because is mapped with Spring Security

    How I make for Spring Security recognize to my user authenticated?

    In this post mentioned entry-point but I don't understand how associate to a URL

    Thanks

  • #2
    First it is bad to include sensitive data in the URL or Query String since this information is much more easy to be leaked. Instead, you should include the username/password in a header or the body of a POST.

    If you want to authenticate in your own code, then you need to grant access to the URL that you are authenticating to. To do this, update your configuration to look something liek this:

    Code:
    <http ... use-expression="true">
      <intercept-url pattern="/service/login/go/*" access="permitAll"/>
      ...
    </http>

    Comment


    • #3
      Originally posted by Rob Winch View Post
      First it is bad to include sensitive data in the URL or Query String since this information is much more easy to be leaked. Instead, you should include the username/password in a header or the body of a POST.

      If you want to authenticate in your own code, then you need to grant access to the URL that you are authenticating to. To do this, update your configuration to look something liek this:

      Code:
      <http ... use-expression="true">
        <intercept-url pattern="/service/login/go/*" access="permitAll"/>
        ...
      </http>
      Thanks for the advice

      I forgot to mention that services are consumed by a mobile client. According to the value returned by the login service the mobile application redirected to homepage or to failure page. This has already been implemented.

      I have all my URLs REST mapped

      Code:
      <http ... use-expression="true">
        <intercept-url pattern="/service/**" access="ROLE_USER"/>
        ...
      </http>
      Therefore, I want to know how my service cant recognize to my authenticated user so my URLs REST don't blocked for my user

      Comment

      Working...
      X