Spring Security: Ignore login page by using a special URL parameter
In Spring Security the scenario you want to cover is described in reference manual, chapter Pre-Authentication Scenarios.
Basically you have to:
- create custom filter by extending
AbstractPreAuthenticatedProcessingFilter
or choosing one of its implementations, - register custom filter
<custom-filter position="PRE_AUTH_FILTER" ref="yourPreAuthFilter" />
, - implement or choose one of implemented
AuthenticationUserDetailsService
s, - register the service in
PreAuthenticatedAuthenticationProvider
(with<property name="yourPreAuthenticatedUserDetailsService">
).
EDIT: In this answer OP shows his way of implementig custom PRE_AUTH_FILTER
.
digiarnie
Updated on June 14, 2022Comments
-
digiarnie almost 2 years
I currently have a setup that looks something like this:
spring-security.xml:
<http auto-config="true"> <intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/**" access="ROLE_USER" /> <form-login login-page="/login" default-target-url="/main.html" authentication-failure-url="/failedLogin"/> <logout logout-url="/logout.html" logout-success-url="/login" /> </http> <authentication-manager> <authentication-provider> <user-service> <user name="foo" password="bar" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager>
web.xml:
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
This all seems to work as expected, however, in special situations I want the login page to be bypassed if the user passes in a special token. So currently, if the user goes to a url such as
/dog
, they will see the login page and if they pass in the credentials offoo/bar
then they will be logged in and see the page corresponding to/dog
.I want the ability to use a URL such as
/dog?token=abcd
which will bypass the login screen and take them directly to the page corresponding to/dog
. If they provide an invalid token then they would just see an access denied page.