My questions is similar to this SO question.
But I am using Spring security 3.1.4 in which following call is deprecated.
(OpenIDAuthenticationToken)exception.getAuthentication()
What is the alternative mechanism to get OpenIDAuthenticationToken in SimpleUrlAuthenticationFailureHandler implementation?
Thanks for your time and help.
If your requirement is to register users who are not already in your system, you can do that in the same way that the sample application does.
If you need more interaction with the user at that point, then the only alternative to the deprecated method that springs to mind would be to use your own custom exception.
Related
In my Spring Boot application, I have several roles that are differentiated due to a token. Each one has a different token in the configuration file (.properties or .yml), which is then read by a JWT management class.
Initially I thought to do this just for one controller, but it makes sense to apply this logic to others as well, so I would like to ask what you guys recommend for this type of case.
After a little searching I found info about Spring Interceptor - https://www.baeldung.com/spring-mvc-handlerinterceptor
Do you think this is ideal or do you have any better suggestions for this type of case?
I am keeping looking for an authencitation solution in java until I found AOP.
It seesm that the advise of the AOP can act as an interceptor of the required method executation. Which can be use or authentication and authorization.
And I have heard some solutions based on URL filtering, but IMO, the AOP is better since it will intercepte the logic rather then the request path.
Especially in an application which have multiple views like this:,
we can use only one authentication module to hold the whole application through AOP, but if we use the URL filtering, we have to make another authentication module for the "Client GUI View".
This is my opinion, I am not sure if this is right, please figure it out if I miss something.
And BTW, is there a live exmaple about AOP with authentication(Spring AOP is better)?
I don't think using AOP for authentication is a good idea.
You can use filters to check if an user is authenticated. Here you have an example of this:
How to redirect to Login page when Session is expired in Java web application?
Another approach, you can make use of Spring Security. It is quite simple and handle login for you. This guy shows well simple examples:
http://www.mkyong.com/spring-security/spring-security-form-login-example/
I wanted to know whether it is possible to have custom handler execution just before spring authentication manager. I wanted to validate licenses for the user before he access system. Initially i wrote custom filter and executed it before calling to authentication manager, but in this case he wont be able to access some resources since he is not authenticated, but later i moved my code to sucessHandler of spring which worked fine, except it has some security issues like if open in multiple tabs it fails.
Any help is highly appreciated.
Thanks,
Brijesh
I think what you are looking for is to add a Spring AuthenticationProvider. In short, an AuthenticationManager has a list of AuthenticationProviders, each of which is queried in order. The question and answer to Multiple Authentication Providers in Spring Security has a good explanation of this. The Spring documentation also explains how the various components fit together.
I am currently studying Spring.
While reading a Spring book, I met a part regarding Event.
By using context.publishEvent(..), I could trigger the event.
But I don't know what It's exactly for.
I can use other Method instead of using complicated publishEvent.
Please, tell me. thank you.
Spring Events are used to implement publish-subscribe model (or observer pattern) where two not-related parts of code must be somehow connected.
Think of the analogy of web applications where servlet container creates http sessions and your code is informed about this using javax.servlet.http.HttpSessionListener.
Spring uses this mechanism internally. It's much more visible in Spring Security where several parts of the code are informed about e.g., successfull authentication.
I have a project with the following setup:
Tomcat 6.x
Struts 2.1.6
DisplayTag 1.2
Spring 2.x (1 or 5, don't remember now)
I want to know to to do session controlling in every action of my app, like if the users weren't logged in, they're redirect to certain page to login (in the case of my project, either the user come to a special crafted url like login/SPECIALHASHTOLOGIN or won't enter at all.
Need more details?
Thx in advance.
I'm still new to S2 as well, but I believe what you will need to do is modify the default interceptor stack (or create a custom stack) and add a custom interceptor. This custom interceptor will need to implement SessionAware to access the user session, and must implement your custom logic (which action to redirect to, which URLs do not need protection, etc.).
Here is a good tutorial of a LoginInterceptor that behaves similar to what you are requesting.
Acegi security is a great way to add security to your web app if you're already using Spring. Here's a decent 1-hour Acegi tutorial.