Announcement Announcement Module
No announcement yet.
Programmatic use of Spring Security Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Programmatic use of Spring Security

    I am using Wicket with the Wicket Auth Project for my presentation layer and I have therefore integrated it with Spring Security. This is the method which is called by Wicket for authentication for me:
    public boolean authenticate(String username, String password) {
    	try {
    		Authentication request = new UsernamePasswordAuthenticationToken(
    				username, password);
    		Authentication result = authenticationManager.authenticate(request);
    	} catch (AuthenticationException e) {
    		return false;
    	return true;
    The contents (inside <beans>) of my Spring Security XML configuration are:
    <http path-type="regex">
    	<form-login login-page="/signin"/>
    <logout logout-url="/logout" />
    <global-method-security secured-annotations="enabled" />
    <authentication-manager alias="authenticationManager"/>
    <authentication-provider user-service-ref="userService">
    	<password-encoder ref="bcryptpasswordencoder" />
    The section 2.3.6. Session Fixation Attack Protection of the reference documentation says:
    Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). Spring Security protects against this automatically by creating a new session when a user logs in. If you don't require this protection, or it conflicts with some other requirement, you can control the behaviour using the session-fixation-protection attribute on <http>, which has three options:
    • migrateSession - creates a new session and copies the existing session attributes to the new session. This is the default.
    • none - Don't do anything. The original session will be retained.
    • newSession - Create a new "clean" session, without copying the existing session data.
    The authentication works, but I as I'm fairly new to Spring Security I have some questions:
    • Normally for login, I would POST the authentication information to j_spring_security_check and let Spring Security perform the actual authentication code. I would like to have protection against session fixation attacks, will I get it when I perform a programmatic login as I do? And if not, what would I have to do to get it?
    • How do I perform programmatic logout?
    • As I will use programmatic login and logout, how do I disable Spring from intercepting those URL's?

    Best regards, Kent
    Last edited by Tnek; Jun 18th, 2009, 09:34 AM.