One problem I encountered while trying to configure spring security is customizing it based on my own preferences. The default setup uses j_spring_security_login as the login page and j_spring_security_logout as the logout page. Although the default setup is enough to create a secured application, its not what I wanted. What I want is to configure spring security based on my own preferences, based on my own rules.
This is the login controller that i customized :
public class LoginController extends AbstractController {
@Override
protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
ModelAndView mav = new ModelAndView();
SecurityContext securityContext = SecurityContextHolder.getContext();
Authentication auth = securityContext.getAuthentication();
String login = request.getParameter("login");
if(login != null && login.equals("1")) {
GrantedAuthority grantedAuthority = new GrantedAuthorityImpl("ROLE_ADMIN");
UserAuthentication userAuth = new UserAuthentication("rey", "q", new GrantedAuthority[]{grantedAuthority});
securityContext.setAuthentication(userAuth);
}
return mav;
}
}
And the applicationContext-security.xml :
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
<security:global-method-security secured-annotations="enabled">
</security:global-method-security>
<security:http auto-config="true" session-fixation-protection="none">
<!-- <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> -->
<security:intercept-url pattern="/login.htm" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="ROLE_ADMIN" />
<security:remember-me user-service-ref="jdbcDaoImpl" />
<security:form-login login-page="/login.htm"/>
</security:http>
<security:authentication-provider user-service-ref="jdbcDaoImpl" />
</beans>
Labels: acegi, custom, spring, spring security
Subscribe to:
Post Comments (Atom)
what is UserAuthentication
Anonymous said...
July 15, 2008 at 11:40 PM
Please,
can you provide us class
implementation of
GrantedAuthority grantedAuthority = new GrantedAuthorityImpl("ROLE_ADMIN");
UserAuthentication userAuth = new UserAuthentication("rey", "q", new GrantedAuthority[]{grantedAuthority});
Anonymous said...
January 29, 2009 at 6:12 AM
is it possible to add few application specific roles into Authentication or Principal object after login from database ?
java polymorphism said...
September 28, 2011 at 3:20 AM