Spring Security: Ignore login page by using a special URL parameter

java spring spring-security
10,790

In Spring Security the scenario you want to cover is described in reference manual, chapter Pre-Authentication Scenarios.

Basically you have to:

  • create custom filter by extending AbstractPreAuthenticatedProcessingFilter or choosing one of its implementations,
  • register custom filter <custom-filter position="PRE_AUTH_FILTER" ref="yourPreAuthFilter" />,
  • implement or choose one of implemented AuthenticationUserDetailsServices,
  • register the service in PreAuthenticatedAuthenticationProvider (with <property name="yourPreAuthenticatedUserDetailsService">).

EDIT: In this answer OP shows his way of implementig custom PRE_AUTH_FILTER.

Share:
10,790
digiarnie
Author by

digiarnie

Updated on June 14, 2022

Comments

  • digiarnie
    digiarnie almost 2 years

    I currently have a setup that looks something like this:

    spring-security.xml:

    <http auto-config="true">
    <intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/**" access="ROLE_USER" />
    <form-login login-page="/login"
                default-target-url="/main.html"
                authentication-failure-url="/failedLogin"/>
    <logout logout-url="/logout.html" logout-success-url="/login" />
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="foo" password="bar" authorities="ROLE_USER" />                
        </user-service>
    </authentication-provider>
</authentication-manager>

    web.xml:

    <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

    This all seems to work as expected, however, in special situations I want the login page to be bypassed if the user passes in a special token. So currently, if the user goes to a url such as /dog, they will see the login page and if they pass in the credentials of foo/bar then they will be logged in and see the page corresponding to /dog.

    I want the ability to use a URL such as /dog?token=abcd which will bypass the login screen and take them directly to the page corresponding to /dog. If they provide an invalid token then they would just see an access denied page.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why j_spring_security_check 404?
Could not autowire. No beans 'here name' type found
Integrating Spring Security with SiteMinder
spring security get user id from DB
HTTP Status 403 - Expected CSRF token not found. Has your session expired?
Spring security authrorize based on input parameter criteria
Spring Security Oauth2: Flow to Handling Expired AccessToken
How to enable CORS at Spring Security level in Spring boot
Spring Security get user info in rest service, for authenticated and not authenticated users
How do you set a resource ID for a token?