AOP for authentication in java - spring

I am keeping looking for an authencitation solution in java until I found AOP.
It seesm that the advise of the AOP can act as an interceptor of the required method executation. Which can be use or authentication and authorization.
And I have heard some solutions based on URL filtering, but IMO, the AOP is better since it will intercepte the logic rather then the request path.
Especially in an application which have multiple views like this:,
we can use only one authentication module to hold the whole application through AOP, but if we use the URL filtering, we have to make another authentication module for the "Client GUI View".
This is my opinion, I am not sure if this is right, please figure it out if I miss something.
And BTW, is there a live exmaple about AOP with authentication(Spring AOP is better)?

I don't think using AOP for authentication is a good idea.
You can use filters to check if an user is authenticated. Here you have an example of this:
How to redirect to Login page when Session is expired in Java web application?
Another approach, you can make use of Spring Security. It is quite simple and handle login for you. This guy shows well simple examples:
http://www.mkyong.com/spring-security/spring-security-form-login-example/

Related

Pre-controller token validation - Spring Interceptor?

In my Spring Boot application, I have several roles that are differentiated due to a token. Each one has a different token in the configuration file (.properties or .yml), which is then read by a JWT management class.
Initially I thought to do this just for one controller, but it makes sense to apply this logic to others as well, so I would like to ask what you guys recommend for this type of case.
After a little searching I found info about Spring Interceptor - https://www.baeldung.com/spring-mvc-handlerinterceptor
Do you think this is ideal or do you have any better suggestions for this type of case?

How to execute custom handler before Spring authentication manager

I wanted to know whether it is possible to have custom handler execution just before spring authentication manager. I wanted to validate licenses for the user before he access system. Initially i wrote custom filter and executed it before calling to authentication manager, but in this case he wont be able to access some resources since he is not authenticated, but later i moved my code to sucessHandler of spring which worked fine, except it has some security issues like if open in multiple tabs it fails.
Any help is highly appreciated.
Thanks,
Brijesh
I think what you are looking for is to add a Spring AuthenticationProvider. In short, an AuthenticationManager has a list of AuthenticationProviders, each of which is queried in order. The question and answer to Multiple Authentication Providers in Spring Security has a good explanation of this. The Spring documentation also explains how the various components fit together.

Spring Security features

What security features does Spring provide that are not already provided by the Java EE specs?
In the Java EE specs we have:
A range of sevlet security options in the web.xml. Most people will configure basic or form based authentication. They link their Java EE application to an LDAP server - which stores users / groups. Request will be encrypted and come in over HTTPS.
Possibility to annotate any EJB and only allow certain roles execute certain methods
Ability to check user principle at runtime programmatically
So what security extras does Spring 3.0 give me?
Even if you just need some fairly simple authentication, Spring Security provides support for lots of simple but useful features (think of redirecting after logout, redirecting to login page on all URLs, remember-me). With Java EE you'll end up writing this yourself and - possibly - screwing up so you'll have an insecure app.
Spring Security works well with many standards/protocols/etc. out of the box (LDAP, JAAS, X.509). There's also more advanced stuff like SSO or ACLs. And if the standard functionality doesn't suit you, you can customize this fairly easily, often requiring just a little code.
What I also like is that it's fairly non-intrusive, your controller/action/… classes typically don't have to be involved.
That said, if you use it for the first time, it takes some time to set Spring Security up and get used to it.
(Finally, here's their own feature list: http://static.springsource.org/spring-security/site/features.html)
One killer Feature are ACLs!
#See: Spring Security Reference Chapter 17. Domain Object Security (ACLs)
And I have the feeling that Spring Security is much easier to customize. For example if you need a User Management where the User can self register and get some of this privileges limitedly and some others after this email address has been confirmed.

SpringFramework3.0: How to create interceptors that only apply to requests that map to certain controllers?

In it's simplest form, I want an interceptor that checks session data to see if a user is logged in, and if not redirects them to the login page. Obviously, I wouldn't want this interceptor to be used on say the welcome page or the login page itself.
I've seen a design that uses a listing of every url to one of two interceptors, one doing nothing and the other being the actual interceptor you want implemented, but this design seems very clunky and limits the ease of extensibility of the application. It makes sense to me that there should be an annotation-based way of using interceptors, but this doesn't seem to exist.
My friend has the idea of actually modifying the handler class so that during each request it checks the Controller it is mapping the request to for a new annotation we would create (ex #Interceptor("loginInterceptor") ).
A major point of my thinking is the extensibility, because I'd like to later implement similar interceptors for role-based authentication and/or administration authentication.
Does it sound like my friend's approach would work for this? Or what is a proper way of going about doing this?
Use Spring Security.
Please have a look at these sites, Spring Framework Annotation-based Controller Interceptor Configuration and
Ability to restrict HandlerInterceptors to specific controller paths
Hope it will be useful.
What about a Servlet Filter on all requests that sends the user to the login page if the user object isn't in the session? For the second part you can use security annotations on the controller methods that can check the user's role.

Spring MVC Custom Authentication

What I am looking to accomplish is a filter (or similar) that would handle the authentication model for my Spring MVC application. My application is also hosted on Google App Engine.
The authentication on this application can tend to be very dynamic and the permissions are not something that would fit cleanly into a predefined Role structure. These permissions would be tied to the different action methods on my controllers. Ideally I would like to be able to annotate these permissions but I am open for other suggestions.
I am finding that there is not very much information around on how to accomplish this. Ideally I would like to be able to intercept the call to my controller actions and be able to read off the annotations and handle accordingly. What I am hoping is that someone here has a little bit more knowledge on Spring MVC and where I can inject some custom code, and would be able to point me in the right direction.
I would still use Spring Security to do this. It may not have a class that 100% fits your login scheme, but that's what inheritance is for. Write your own. You can easily get rid of the ROLE based DecisionManager and make it fit your paradigm.
Based on your comments have you checked out the MethodInterceptor in Spring? It creates a Proxy that will intercept calls to any method on the proxied class and allow you to run or disallow the method based on any code you want. In Spring Security there is an AbstractSecurityInterceptor, but I find it very hard to use and for most access decisions I think it's overkill.
So I would use Spring Security to authenticate the user (and populate the SecurityContext) and then use interceptors to wall off access to methods in your controllers that you want protected.

Resources