Announcement Announcement Module
No announcement yet.
Authenticate based on user id Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authenticate based on user id


    I have a web app working nicely with Acegi, but I have a question regarding a problem I am having. At the moment I am using the httpSessionContextIntegrationFilter to authenticate users. This is fine, but there is a use-case in the application where the user is sent an email with a URL containing an encrypted string which includes their user ID. I'd like to be able to receive this ID, decrypt it, and authenticate the HTTP session with that user.

    What is the easiest way of doing this?

  • #2
    I'm not quite sure what you're getting at. HttpSessionContextIntegrationFilter doesn't perform authentication - it just maintains the authentication state between requests. What mechanism are you using to authenticate users at the moment?

    I don't understand the encrypted ID idea either - you want to mail the user their login ID and have them login? You can probably do this by writing a filter which intercepts and decrypts the request before allowing it to continue to be handled by one of the standard authentication providers.

    However the mechanism does seem to suffer from being "password equivalent"; it isn't obvious what the encryption adds to it, unless your aim is to hide the user's own ID from them.

    What's the idea behind the use case?



    • #3
      Hi There,

      Thanks for the reply.

      At the moment we are using the AuthenticationProcessingFilter via a login page to authenticate the users.

      The URL contains information other than the ID of the user; in this case the id of another database record that we want to do some action on. The Id's are encrypted to prevent users from enumerating a different ID within the database.


      • #4
        I see. But do you still expect the user to log in using a form as well? Otherwise what's to stop someone else from reading the mail, requesting the same encrypted URL and ending up logged in under the original user's ID?

        I guess it depends on the details of what you're doing, but you can probably use a custom filter to do the decryption and something like AuthenticationProcessingFilter instance to do the subsequent authentication. Or probably better to just combine both in the one filter, possibly extending AuthenticationProcessingFilter and overriding the default filterProcessesUrl and default target.


        • #5
          Provided that you actually have a requirement to allow a single URL perform a login of a user - noting Luke's observations about the dangers of this - the easiest way would be to have an MVC controller listen against that URL. When the request comes in, "decrypt" the querystring parameter and lookup the user from the AuthenticationDao. Then create an Authentication object containing the user's username and their AuthenticationDao-retrieved password. Finally, put it onto the ContextHolder and redirect them to a secure URL. The secure URL will then caused FilterSecurityInterceptor to fire, which in turn will cause the ContextHolder-held Authentication to be populated in full and authenticated. HttpSessionContextIntegrationFilter will ensure the authenticated Authentication is kept around for the user's subsequent requests.

          As I said, if you need to do it, this is a way. But give some thought to the security of it. The encrypted "token" sent via email will remain usable indefinitely unless you put some sort of expiry time in the code. Generally it's easiest to Base64 a String containing colon-separated tokens, such as username + ":" + expiryTime + ":" + SHA1(username + ":" + expiryTime + ":" + privateKey). This is easy to decompose and still not let the user really see what is going on or have much opportunity to mutate it without knowing the privateKey. Again, I am not recommending this approach, just telling you how it could be done. The digest processing filter does something similar if you'd like to see the code - although that's in accordance with an RFC so it's had some peer review etc.