Tuesday, August 4, 2015

Auto Login in Spring Security

Once was working in a project having requirement to redirect the user from one web application to other web application , which was deployed altogether in a different server but in same LAN.But both the applications have implemented spring security.Consider we have two web applications. Web application A is deployed in Server A and Web application B is deployed in server B.Two applications have separate log in module implemented in spring security.But each user has same credential details for both the applications. But the requirement here is,  if one user has logged in to application A and wants to redirect to a url in application B,
then application B should not ask for  credentails of the user again.And it should directly redirect to the user to the desired page.

So our requirement here is to transfer user credential  from  application A to application B.That is the user should be logged in to application B automatically with the same username and password without user intervention.We can do it with following configuration.

<sec:authentication-manager alias="authManager">
    <sec:authentication-provider
        ref="userDAOProvider" />
</sec:authentication-manager>

<bean id="daoAuthenticationProvider" 
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider> 

<property name="userDeatilsService" ref="userservice"/>
</property>
</bean>


< bean id="userService" class="com.brainatjava.test.service.impl.UserServiceImpl" > 
< /bean >
This is the configuration manager for spring security.Now we will see the controller in Application B,which will receive the redirect request from Application A.And how it will use the username and password to directly authenticate the user.Please look the code snippet below.

@Controller
Public class AuthenticationController{
 
@Autowired
private AuthenticationManager  authManager;
 
 @RequestMapping(value = "/goToHome", method = RequestMethod.GET)
 public void  goTohome(@RequestParam String username,@RequestParam 
String password,HttpServletRequest request,HttpServletResponse response) 
throws IOException {
  try{
 
  authenticateUser(username,password,request);
 
  }
  catch(Exception e){
   e.printStackTrace();
  }
  response.sendRedirect("home");
 }
private void authenticateUser(String username,String password,
 HttpServletRequest request) {
        
        UsernamePasswordAuthenticationToken authToken = new 
 UsernamePasswordAuthenticationToken(username, password);
        request.getSession();
        authToken.setDetails(new WebAuthenticationDetails(request));
        Authentication authentication= authenticationManager.authenticate
 (authToken);
        SecurityContextHolder.getContext(). 
        setAuthentication(authentication);
    }
}
} 
And as /goToHome is in application B and it will get a hit from application A which is already deployed in a different server,so we will permit it to do so.The same can be done by adding the following line in application context of application B.

  <security:http use-expressions="true" auto-config="true">
                     <security:intercept-url pattern="/goToHome"
                        access="permitAll" />
</security:http>

Here we can see our /goToHome url is a get request.As, we cannot send a POST request using sendRedirect().We can consider encrypting our query string parameters for security issue.

No comments:

Post a Comment