Clever Geek Handbook

How can I access the HttpServletRequest object during user authentication in Spring Security?

My application requirements are that I need to parse some information from the http request url in order to authenticate the user. Obviously I just can't use the UserDetailsService implementation.

My question is, how do I implement a UserDetailsService function (or equivalent authentication scheme) that needs access to the HttpServletRequest?

My Spring Security Version 3.0.7.RELEASE

+4


source to share


3 answers


There's a very similar question in the Spring Security FAQ .



You can enter a custom one AuthenticationDetailsSource

into the authentication filter to extract additional relevant information from the incoming request. This information can then be obtained from the presented object Authentication

in the custom AuthenticationProvider

.

+4


source


One possible solution is to use RequestContextFilter

. You can define it in web.xml like in the following snippet:

<filter>
  <filter-name>requestContextFilter</filter-name>
  <filter-class>org.springframework.web.filter.RequestContextFilter</filter-class>
</filter>

<filter-mapping>
  <filter-name>requestContextFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

or if you just need this for some security concerns, then it is better to place it in a Spring security config file as shown in the following example:



<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                      http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

  <http>
    <custom-filter ref="requestContextFilter" before="FORM_LOGIN_FILTER"/>
    <form-login login-page="/login" authentication-failure-url="/login?error=failed" />
  </http>
  <beans:bean id="requestContextFilter" class="org.springframework.web.filter.RequestContextFilter"/>

  <authentication-manager alias="authManager">
    <authentication-provider ref="authProvider" />
  </authentication-manager>
  <beans:bean id="authProvider" class="my.company.CustomAuthProvider" />
</beans:beans>

Then you can use the method RequestContextHolder.currentRequestAttributes()

in your Spring Security classes. For example, as follows:

public class CustomAuthProvider extends DaoAuthenticationProvider {
  @Override
  public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
    System.err.println(attr.getRequest().getParameter("myParameterName"));
    return super.authenticate(authentication);
  }
}
+3


source


You will need to make a Spring bean servlet as described here .

0


source






More articles:


All Articles