6

I currently have a setup that looks something like this:

spring-security.xml:

<http auto-config="true">
    <intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/**" access="ROLE_USER" />
    <form-login login-page="/login"
                default-target-url="/main.html"
                authentication-failure-url="/failedLogin"/>
    <logout logout-url="/logout.html" logout-success-url="/login" />
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="foo" password="bar" authorities="ROLE_USER" />                
        </user-service>
    </authentication-provider>
</authentication-manager>

web.xml:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

This all seems to work as expected, however, in special situations I want the login page to be bypassed if the user passes in a special token. So currently, if the user goes to a url such as /dog, they will see the login page and if they pass in the credentials of foo/bar then they will be logged in and see the page corresponding to /dog.

I want the ability to use a URL such as /dog?token=abcd which will bypass the login screen and take them directly to the page corresponding to /dog. If they provide an invalid token then they would just see an access denied page.

digiarnie
  • 22,305
  • 31
  • 78
  • 126
  • 1
    Security FAIL -- Why on earth do you want such a back door? – Jim Garrison Aug 19 '12 at 02:58
  • It's something similar to this one here: http://stackoverflow.com/questions/3830571/spring-security-bypass-login-form. The token is unique and generated based on an algorithm and isn't so much a static string like 'abcd' each time. – digiarnie Aug 19 '12 at 07:30

1 Answers1

9

In Spring Security the scenario you want to cover is described in reference manual, chapter Pre-Authentication Scenarios.

Basically you have to:

  • create custom filter by extending AbstractPreAuthenticatedProcessingFilter or choosing one of its implementations,
  • register custom filter <custom-filter position="PRE_AUTH_FILTER" ref="yourPreAuthFilter" />,
  • implement or choose one of implemented AuthenticationUserDetailsServices,
  • register the service in PreAuthenticatedAuthenticationProvider (with <property name="yourPreAuthenticatedUserDetailsService">).

EDIT: In this answer OP shows his way of implementig custom PRE_AUTH_FILTER.

Community
  • 1
  • 1
Grzegorz Rożniecki
  • 27,415
  • 11
  • 90
  • 112
  • Thanks for your response. I tried doing those things you mentioned along with the link to the OP but I still had troubles :( I then used bits and pieces of what you mentioned and the other OP and ended up using PRE_AUTH_FILTER custom-filter which references a class implementing a plain javax.servlet.Filter and put in the relevent code to authenticate if the token url parameter was found when there was no authentication object found in the SecurityContextHolder. – digiarnie Aug 20 '12 at 01:34