Announcement Announcement Module
Collapse
No announcement yet.
Automatic login after account creation Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Automatic login after account creation

    Hello,

    I'm trying to determine what is the "correct" way to perform an automatic login after creating a new user account: programmatically inside the action or by Spring security filter outside of the action.

    Currently we are using Spring Security and Struts 2. We are doing something very similar to what was suggested in this thread when creating a new user account: http://forum.springsource.org/showthread.php?t=28165. That is, inside the Struts action we programmatically authenticate the user and update the Security Context (and it works).

    However, the question was raised on my project that we are not using Spring Security correctly by doing it that way, that it would be preferable to not programmatically authenticate the user inside the action, but rather allow Spring Security to perform the authentication from a filter.

    Is that true? Would that mean the password would have to get passed with a GET? Is the programmatic authentication actually preferred?

    Any insight/advice is appreciated. Thanks!

  • #2
    There's no point in using a filter to authenticate someone unless you want to have them explicitly re-enter the data after they have registered.

    You may want to use the AuthenticationManager to do the programmatic authentication, in order to tie into the event infrastructure, but it's up to you, depending on your requirements.

    Comment


    • #3
      Originally posted by Luke Taylor View Post
      You may want to use the AuthenticationManager to do the programmatic authentication, in order to tie into the event infrastructure, but it's up to you, depending on your requirements.
      Thanks for the response. Yes we are currently using the AuthenticationManager which is injected into the action that creates the account.

      So doing something like the following is the best practice with spring security after account creation?

      Code:
      UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user, pw);
      token.setDetails(new WebAuthenticationDetails(request));
      Authentication authentication = authenticationManager.authenticate(token);
      authInitializer.initializeAuthenticatedUser(request, authentication);
      SecurityContextHolder.getContext().setAuthentication(authentication);

      Comment


      • #4
        I've had this same issue before.

        And resolving just being logged in is easy (like what you have above ... not exact but it was like that)

        However i also wanted the LoginLIsteners to fire ... not sure how to make them fire

        Comment


        • #5
          I'm facing this problem and this looks like a good solution, will try this code as soon as I'm home, in the meantime I'd like a clarification about that "authInitializer" reference. Is it something related to your very own project or is it a class of Spring Security?

          Thank you

          Comment


          • #6
            Originally posted by namero999 View Post
            I'd like a clarification about that "authInitializer" reference. Is it something related to your very own project or is it a class of Spring Security?
            Yes sorry for the confusion, but you're right. The authInitializer class is not part of Spring.

            Cheers

            Comment

            Working...
            X