Menu
I have set up spring security to intercept correctly and prompt user with custom login page, that then authenticates correctly and adds userdetails to SecurityContextHolder.
Supplementary to that I now want to add my own custom User object added to session whenever login is performed; so the code will look like this:
public returnwhat? doMySupplementaryLogin() {
UserDetails principal = (UserDetails) SecurityContextHolder.getContext()
.getAuthentication().getPrincipal();
MyUser user = myUserService.getMyUser(principal.getUsername());
add user to what ?
}
Where will this code go? I want the nomral spring authentication to be performed and then the above code will put a MyUser object into session and then send user to the original intercepted url/viewname. I have the strong feeling I am making things more complicated than they need to be ...
693
Spring security secures all HTTP endpoints by default. A user has to login in a default HTTP form. To enable Spring Boot security, we add spring-boot-starter-security to the dependencies.
As of Spring Security version 5.7. 1, the default username is user and the password is randomly generated and displayed in the console (e.g. 8e557245-73e2-4286-969a-ff57fe326336 ).
You do make it complicated... :)
What you want is to add a custom authentication provider to spring's normal authentication manager. So you would configure the authentication manager like this:
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="authServiceImpl">
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>
</security:authentication-manager>
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"/>
Now you only need to define the authServiceImpl bean inside your spring context. You can either do this through xml or annotations (my prefered way).
@Service
public class AuthServiceImpl implements AuthService {
You need to implement the AuthService interface. Just implement to methods from the interface - should be pretty straight forward. You don't need to put things into the SecurityContextHolder yourself - spring will do that.
What you want is this:
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
return MyUser user = myUserService.getMyUser(username);
}
Feel free to ask if you have any further questions.
EDIT: Or you could just have your UserService class implement the interface - I just did it like this because you didn't provide your UserService class.
113
or add your own AuthenticationSuccessHandler, for instance this class, i added so that i could store the username and password in session so i could login to other microservices when needed:
public class AuthenticationSuccessWithSessionHandler extends SavedRequestAwareAuthenticationSuccessHandler implements AuthenticationSuccessHandler, LogoutSuccessHandler {
public static final String USERNAME = "username";
public static final String PASSWORD = "password";
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
request.getSession().removeAttribute(USERNAME);
request.getSession().removeAttribute(PASSWORD);
}
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
super.onAuthenticationSuccess(request, response, authentication);
request.getSession().setAttribute(PASSWORD, request.getParameter(PASSWORD));
request.getSession().setAttribute(USERNAME, request.getParameter(USERNAME));
}
}
and registered it
AuthenticationSuccessWithSessionHandler successHandler = new AuthenticationSuccessWithSessionHandler();
http.authorizeRequests().antMatchers("/login", "/logout", "/images", "/js").permitAll().antMatchers("/feeds/**")
.authenticated().and().formLogin()
.successHandler(successHandler)
.and().logout().logoutUrl("/logout").logoutSuccessHandler(successHandler).logoutSuccessUrl("/login");
note the extends SavedRequestAwareAuthenticationSuccessHandler stores the original url and restores it after successfull login.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
