0

I have a requirement that on the login page I have a userId , password field and also another text entry field called customer. If a user logins in with userId and password , the spring-security configuration which I have works good. Second login scenario is If the customer puts in only their customer Id , they are supposed to login to a different page as well. How do I make the two different logins works with the same spring-security xml configuration from the same login page.

    <security:http auto-config="true" use-expressions="true" >
     <!-- URL restrictions (order is important!) Most specific matches should be at top -->

     <!-- Don't set any role restrictions on login.jsp.  Any requests for the login page should be available for anonymous users -->    
     <security:intercept-url pattern="/login.jsp*" access="isAuthenticated()" /> 


     <security:access-denied-handler error-page="/noaccess.jsp" />
     <security:intercept-url pattern="/board.htm" access="hasRole('ROLE_ALL_USER')"  />
     <security:intercept-url pattern="/AddItems.htm*" access="hasRole('ROLE_USER')" />


     <!-- Set the login page and what to do if login fails -->    
     <security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1"  />

      <!-- Set the logout page and where to go after logout is successful -->   

      <security:logout logout-url="/logout" logout-success-url="/logoutSuccess.jsp" />

      <security:custom-filter position="PRE_AUTH_FILTER" ref="customPreAuthFilter" />

      <security:custom-filter ref="switchUserFilter" position="SWITCH_USER_FILTER" />

</security:http>
<security:http>

</security:http>



<beans:bean id="customPreAuthFilter" class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
    <beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>

<!-- Load the UserDetails object for the user. -->
<beans:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <beans:property name="preAuthenticatedUserDetailsService">
      <beans:bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
        <beans:property name="userDetailsService" ref="currentUserDetailsService"/>
      </beans:bean>
    </beans:property>
</beans:bean>

<!-- Aliasing (Switch User) -->
<beans:bean id="switchUserFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
    <beans:property name="userDetailsService" ref="currentUserDetailsService" />
  </beans:bean>

Thanks Dhiren

@Ritesh Thanks for the link.. I tried your solution but My Filter does not get invoked. does web.xml need to be modified. Any way I tried to implement the entire springSecurityFilterChain but still I have not able to invoke my Filter from my login form. My filter that I need invoked is customBadgeAuthFilter

<beans:bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
    <beans:constructor-arg>
        <beans:list>

            <security:filter-chain pattern="/resources/**" filters="none"/>
            <security:filter-chain pattern="/**"
                filters="securityContextPersistenceFilterWithASCTrue,    
                                                      logoutFilter,   
                                                      customBadgeAuthFilter,   
                                                         formLoginFilter, 
                                                         formLoginExceptionTranslationFilter,
                                                         filterSecurityInterceptor" />
        </beans:list>
    </beans:constructor-arg>
</beans:bean>

<beans:bean id="securityContextPersistenceFilterWithASCTrue"
    class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    <beans:constructor-arg>
        <beans:bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
    </beans:constructor-arg>
</beans:bean>

<beans:bean id="formLoginExceptionTranslationFilter"
    class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <beans:constructor-arg>
        <beans:bean
            class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
            <beans:constructor-arg value="/login"/>                
        </beans:bean>
    </beans:constructor-arg>
    <beans:property name="accessDeniedHandler">
        <beans:bean
            class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
            <beans:property name="errorPage" value="/exception" />
        </beans:bean>
    </beans:property>
</beans:bean>

<beans:bean id="formLoginFilter"
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager"/>
    <beans:property name="allowSessionCreation" value="true"/>
    <beans:property name="authenticationSuccessHandler">
        <beans:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
            <beans:constructor-arg value="/"/>
            <beans:property name="alwaysUseDefaultTargetUrl" value="true"/>
        </beans:bean>
    </beans:property>
    <beans:property name="authenticationFailureHandler">
        <beans:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
            <beans:constructor-arg value="/login?error=true"/>
        </beans:bean>
    </beans:property>
</beans:bean>

<beans:bean id="filterSecurityInterceptor"
    class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <beans:property name="authenticationManager" ref="authenticationManager" />
    <beans:property name="accessDecisionManager" ref="accessDecisionManager" />
    <beans:property name="runAsManager" ref="runAsManager" />
    <beans:property name="securityMetadataSource">
        <security:filter-security-metadata-source use-expressions="true">
            <security:intercept-url pattern="/**"
                access="isAuthenticated()" />
        </security:filter-security-metadata-source>
    </beans:property>
</beans:bean>

<beans:bean id="accessDecisionManager"
    class="org.springframework.security.access.vote.AffirmativeBased">
    <beans:constructor-arg>
        <beans:list>
            <beans:bean class="org.springframework.security.access.vote.RoleVoter"/>
            <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
        </beans:list>
    </beans:constructor-arg>
    <beans:property name="allowIfAllAbstainDecisions" value="false"/>
</beans:bean>

<beans:bean id="runAsManager"
    class="org.springframework.security.access.intercept.RunAsManagerImpl">
    <beans:property name="key" value="TELCO_RUN_AS"/>
</beans:bean>

<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <beans:constructor-arg value="/login"/>        
    <beans:constructor-arg>
        <beans:list>
            <beans:bean class="org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler">
                <beans:constructor-arg>
                    <beans:list>
                        <beans:value>JSESSIONID</beans:value>
                    </beans:list>                        
                </beans:constructor-arg>
            </beans:bean>
            <beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
        </beans:list>
    </beans:constructor-arg>
</beans:bean>
<beans:bean id="customBadgeAuthFilter" class="com.company.security.filter.BadgeProcessingSecurityFilter">
<beans:constructor-arg value="/login.jsp"></beans:constructor-arg>
    <beans:property name="authenticationManager" ref="authManager" />
</beans:bean>

<security:authentication-manager alias="authManager" >
    <security:authentication-provider ref='normalAuthenticationProvider ' />
    <security:authentication-provider ref='badgeAuthenticationProvider ' />
    <security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>

 <beans:bean id="loginUrlAuthenticationEntryPoint"
      class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:property name="loginFormUrl" value="/login.jsp"/>
</beans:bean>
<beans:bean id="badgeAuthenticationProvider" class="com.company.security.filter.BadgeAuthenticationProvider">
</beans:bean>

I think I finally figured how to get my securityFilter to get invoked. I was doing debugging to see the springsecurity flow and see that there is a method called. requestAuthorization in the subclass of AbstractAuthenticationProcessingFilter. It compares the uri which is configured for the default value for the filter to get invoked and if they don't match the filter is bypassed. For some reason even thought the POSt request is /j_security_check .. it transforms into FSS/home.htm when it is being compared and so the filter was getting bypassed.

user2358826
  • 221
  • 1
  • 5
  • 17
  • 1
    This might help: http://stackoverflow.com/questions/4783063/ – Ritesh Feb 23 '16 at 23:23
  • Thanks for the link. I used it but with having all the changes, my security filter does not get invoked. I went ahead and even created a full springSecuirtyFilterChain implementation and removed all filters and pushed my filter to top yet it does not yet invoked. – user2358826 Feb 24 '16 at 22:29
  • I think your original config would work. You have to just replace standard form login filter by your own filter: ``. Also make sure that BadgeAuthenticationToken extends AbstractAuthenticationToken so that its class type is distinct from UsernamePasswordAuthenticationToken. – Ritesh Feb 25 '16 at 18:00
  • If I add FORM_LOGIN_FILTER what would happen to the existing form-login filter. I would need to use auto-config=false and also then springSecurityFilterchain would need to be manually configured. .. – user2358826 Feb 25 '16 at 21:53
  • I also check request.getParameter("username") or req.getParameter("j_badgeid") returns null... when I do the login POST . I watch the values in FilterChainProxy class .. why is that so and where can I capture those input params from the form login...Thanks – user2358826 Feb 25 '16 at 22:54
  • my security chain is invoking now but is not able to persist a remoteUser . if remoteUser is null login is not happenign. Only wiht lanId password I get a persistent remoteUser – user2358826 Mar 08 '16 at 21:04

0 Answers0