Announcement Announcement Module
No announcement yet.
JSF form login + servlet login in same application Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • JSF form login + servlet login in same application

    I have successfully implemented a JSF application with form based login via spring security as outlined in this example:

    In addition to this the project I am working on needs to provide users the ability to login via a request parameter posted on a URL in my app. Ie my app user should be able to login via this URL if the auth string is valid:
    I guess this resembles a typical Pre-Authentication example where the user has been authorized via a different app. The difference here being that I need some application logic to dissect and approve the "auth" parameter which is an encrypted string (formed from a shared encryption key, which both apps have access to.) When decrypting the "auth" string I will have the userId of the user who is logging in + some other data to ensure that this request is valid. After this I want to be able to use spring security to authenticate the user.

    I am a spring security newbie so here are some questions:
    I have tried to implement this via a servlet which after successfull validation of the auth parameter should redirect the user to a secure page. However I have not been able to get this to work in addition to the form based login outlined in the example.

    Basically I am trying to authenticate the user by:
    SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(userId, password));
    -My servlet uses filters="none" so that no authorization is needed to access it
    -My other configuration options are the same as in the example mentioned above
    - When accessing the servlet URL with a valid auth the servlet redirects to a secure page. However my authentication is not approved as the app redirects me to the form based login page instead.

    I am guessing I need to change my security-config somehow to accomodate this? Perhaps via a custom-authentication-provider. Could someone outline the steps needed to do this? I need the form login to stay intact.

    I have not been able to find any examples showing how to do both form based and servlet based login in the same spring security config.

    I am using spring security version 2.0.5

  • #2

    I removed all of my filters="none" in <security:intercept-url ..> and replaced them with access="IS_AUTHENTICATED_ANONYMOUSLY"

    Without this definition the default java servlet filter was invoked before the spring security filter and because of this the security context was not yet available. It seems like a new security context was created for every request to the servlet. This "new" securitycontext could not be used to validate the authentication properly.

    Security config for the servlet:
    <security:intercept-url pattern="/servlets/ExternalLoginServlet"
    Could someone explain why this change fixed the problem in more detail?