Spring Security custom authentication filter using Java Config -

-

i'm trying configure spring security using java config in basic web application authenticate against external web service using encrypted token provided in url request parameter.

i (i think) have security filter intercepts requests login portal (they go /authenticate), filter use authenticationprovider process bussiness logic of authentication process.

login portal --> redirect '\authenticate' (+ token) --> authenticate token login portal (ws) --> if success roles , setup user.

i have created filter..

@component public final class oewebtokenfilter extends genericfilterbean {     @override     public void dofilter(final servletrequest request, final servletresponse response, final filterchain chain) throws ioexception, servletexception {         if (request instanceof httpservletrequest) {              oetoken token = extracttoken(request);              // dump token security context (for authentication-provider pick up)              securitycontextholder.getcontext().setauthentication(token);         }     }        chain.dofilter(request, response); }

an authenticationprovider...

@component public final class oewebtokenauthenticationprovider implements authenticationprovider {     @autowired     private webtokenservice webtokenservice;      @override     public boolean supports(final class<?> authentication) {         return oewebtoken.class.isassignablefrom(authentication);     }      @override     public authentication authenticate(final authentication authentication) {          if (!(authentication instanceof oewebtoken)) {              throw new authenticationserviceexception("expecting oewebtoken, got " + authentication);         }          try {             // validate token locally             oewebtoken token = (oewebtoken) authentication;             checkaccesstoken(token);              // validate token remotely             webtokenservice.validatetoken(token);              // obtain user info token             user userfromtoken = webtokenservice.obtainuserinfo(token);              // obtain user db             user userfromdb = userdao.findbyusername(userfromtoken.getusername());              // validate user status             checkuserstatus(userfromdb);              // update ncss db values oe             updateuserindb(userfromtoken, userfromdb);              // determine access rights             list<grantedauthority> roles = determineroles(userfromdb);              // put account security context (for controllers use)             return new authenticatedaccount(userfromdb, roles);         } catch (authenticationexception e) {             throw e;         } catch (exception e) {              // stop non-authenticationexceptions. otherwise full stacktraces returned requester              throw new authenticationserviceexception("internal error occurred");         }     }

and spring security config

@configuration @enablewebsecurity @enableglobalmethodsecurity(prepostenabled = true) public class securityconfig extends websecurityconfigureradapter {      @autowired     oesettings oesettings;      @bean(name="oeauthenticationservice")     public authenticationservice oeauthenticationservice() throws authenticationserviceexception {         return new authenticationserviceimpl(new oeauthenticationserviceimpl(), oesettings.getauthenticateurl(), oesettings.getapplicationkey());     }      @autowired     private oewebtokenfilter tokenfilter;      @autowired     private oewebtokenauthenticationprovider tokenauthenticationprovider;      @autowired     private oewebtokenentrypoint tokenentrypoint;      @bean(name="authenticationmanager")     @override     public authenticationmanager authenticationmanagerbean() throws exception {         return super.authenticationmanagerbean();     }      @override     public void configure(authenticationmanagerbuilder auth)  throws exception {         auth.authenticationprovider(tokenauthenticationprovider);     }      @bean     public filterregistrationbean filterregistrationbean () {           filterregistrationbean registrationbean = new filterregistrationbean();              registrationbean.setfilter(tokenfilter);             registrationbean.setenabled(false);         return registrationbean;     }      @override     protected void configure(httpsecurity http) throws exception {         http.csrf().disable()             .authorizerequests()             .antmatchers("/authenticate**").permitall()             .antmatchers("/resources/**").hasauthority("role_user")             .antmatchers("/home**").hasauthority("role_user")             .antmatchers("/personsearch**").hasauthority("role_admin")             // spring boot actuator endpoints             .antmatchers("/autoconfig**").hasauthority("role_admin")             .antmatchers("/beans**").hasauthority("role_admin")             .antmatchers("/configprops**").hasauthority("role_admin")             .antmatchers("/dump**").hasauthority("role_admin")             .antmatchers("/env**").hasauthority("role_admin")             .antmatchers("/health**").hasauthority("role_admin")             .antmatchers("/info**").hasauthority("role_admin")             .antmatchers("/mappings**").hasauthority("role_admin")             .antmatchers("/metrics**").hasauthority("role_admin")             .antmatchers("/trace**").hasauthority("role_admin")             .and()                 .addfilterbefore(tokenfilter, usernamepasswordauthenticationfilter.class)                 .authenticationprovider(tokenauthenticationprovider)                 .antmatcher("/authenticate/**")                 .exceptionhandling().authenticationentrypoint(tokenentrypoint)             .and()                 .logout().logoutsuccessurl(oesettings.geturl());     } }

my problem configuration of filter in springconfig class. want filter come effect when request /authenticate url, i've added .antmatcher("/authenticate/**") filter configuration. 

.and()                 .addfilterbefore(tokenfilter, usernamepasswordauthenticationfilter.class)                 .authenticationprovider(tokenauthenticationprovider)                 .antmatcher("/authenticate/**")                 .exceptionhandling().authenticationentrypoint(tokenentrypoint)

when have line in other urls no longer secured, can manually navigate /home without authenticating, remove line , /home authenticated.

should declaring filter applicable specific url?

how can implement whilst maintaining security of other urls?

i've resolved issue performing check on authentication status in filter before involking authentication provider....

config

.and()     .addfilterbefore(tokenfilter, usernamepasswordauthenticationfilter.class)     .authenticationprovider(tokenauthenticationprovider)     .exceptionhandling().authenticationentrypoint(tokenentrypoint)

filter

@override public void dofilter(final servletrequest request, final servletresponse response, final filterchain chain)         throws ioexception, servletexception {      logger.debug(this + "received authentication request " + request.getremotehost() + " " + request.getlocalname());      if (request instanceof httpservletrequest) {         if (isauthenticationrequired()) {             // extract token header             oewebtoken token = extracttoken(request);              // dump token security context (for authentication-provider pick up)             securitycontextholder.getcontext().setauthentication(token);         } else {             logger.debug("session contained valid authentication - not checking again");         }     }      chain.dofilter(request, response); }      private boolean isauthenticationrequired() {     // apparently filters have check themselves.  make sure have proper authenticatedaccount in session.     authentication existingauth = securitycontextholder.getcontext().getauthentication();     if ((existingauth == null) || !existingauth.isauthenticated()) {         return true;     }      if (!(existingauth instanceof authenticatedaccount)) {         return true;     }      // current session authenticated     return false; }

Comments

Post a Comment

Popular posts from this blog

java - Plugin org.apache.maven.plugins:maven-install-plugin:2.4 or one of its dependencies could not be resolved -

-
i getting error message , further 1 here: failed read artifact descriptor org.apache.maven.plugins:maven-install-plugin:jar:2.4: even though when go .m2 repository path c:\users\a591024.m2\repository\org\apache\maven\plugins\maven-resources-plugin\2.4 the maven-resources-plugin-2.4.jar file there , maven-resources-plugin-2.4.pom there. have tried delete .m2 repository no luck. far maven not build project desperately need to. any ideas? it seems proxy issue please aad following in setting.xml grabbing lan setting , proxy information. <proxies> <proxy> <id>proxy</id> <active>true</active> <protocol>http</protocol> <host>hostname</host> <port>port</port> </proxy> </proxies> this frequent issue, please see below link well. plugin org.apache.maven.plugins:maven-clean-plugin:2.5 or 1 of dependencies not resolved maven: failed ret...
Read more

Round ImageView Android -

-
Image
i working on android application in doing rounded image view. working fine images, images 160x120 resolution shows oval shaped. code custom imageview given below, please me out here: public class roundimage extends drawable { private final bitmap mbitmap; private final paint mpaint; private final rectf mrectf; private final int mbitmapwidth; private final int mbitmapheight; public roundimage(bitmap bitmap) { mbitmap = bitmap; mrectf = new rectf(); mpaint = new paint(); mpaint.setantialias(true); mpaint.setdither(true); final bitmapshader shader = new bitmapshader(bitmap, shader.tilemode.clamp, shader.tilemode.clamp); mpaint.setshader(shader); mbitmapwidth = mbitmap.getwidth(); mbitmapheight = mbitmap.getheight(); } @override public void draw(canvas canvas) { canvas.drawoval(mrectf, mpaint); } @override protected void onboundschange(rect bound...
Read more

How can I utilize Yahoo Weather API in android -

-
Image
i want develop app using yahoo weather api android. want current , forecast weather details. i have tried different sources (e.g.: https://github.com/survivingwithandroid/weatherlib , getting error weatherlib api android , unable execute activity in android weatherlib ) , getting different errors m unable resplve. there can proper tutorial or guide! error: -17 08:50:48.961 3168-3168/com.survivingwithandroid.weather e/androidruntime﹕ fatal exception: main process: com.survivingwithandroid.weather, pid: 3168 java.lang.runtimeexception: unable start activity componentinfo{com.survivingwithandroid.weather/com.survivingwithandroid.weather.mainactivity}: java.lang.nullpointerexception: attempt invoke interface method 'boolean java.util.list.isempty()' on null object reference @ android.app.activitythread.performlaunchactivity(activitythread.java:2298) @ android.app.activitythread.handlelaunchactivity(activitythread.java:2360) @ android.app.activi...
Read more