I'm using springsecurity to protect some EJB methods deployed on jBoss 5.1.0.
I'm looking for a nice way to transfer the java.security.Principal retrieved from the EJBContext, by calling getPrincipal(), to the Spring SecurityContext.
I wouldn't like to give up the springsecurity schema, just need to set the Principal before the execution of the MethodSecurityInterceptor.
Any idea?
Related
Im new on spring security and I had some research on authentication ,I saw two options there are some guys posted.First one Jdbc authentication or In memory authentication ,and there are also loadUserByName(UserDetailService).
what is difference between them ,and also what is use case of loadUserByName (UserDetailService)
This is the official reference https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#jc-authentication
For In Memory Authentication, you have a set of username-password pair hard-coded in your xml/java config class.
In jdbc authentication, you can have a direct database contact to fetch users and authorities, provided you have configured a datasource
You can define custom authentication by exposing a custom UserDetailsService as a bean. You can do whatever functionality to return an instance of UserDetails in loadUserByUsername(). This method is called implicitly to authenticate a user, when creating an authentication.
I am new with spring ,I have a doubt about spring session management and spring security session ,whether both concept are same or different ? If different what are that ? Any suggestion ?
May you be a little bit more specific in your question?
In Spring:
session can refer to one of the scopes that a bean belongs to. For example, if you define an instance (bean) of a class a org.something.Counter with scope session, whenever you will access that bean during a web session you will have the same instance of the object. Web session does not require Spring Security in order to exists. You can start from here to understand a little bit more about the session scope in Spring.
session may refer to HttpSession as speciffied by the Servlet API. This is not really related to Spring, even if you can use the standard HttpSession from within Spring, is more in general related to the Servlet API.
In Spring Security:
If you are talking of Spring Security, instead of session I would talk of SecurityContext. The SecurityContext is actually stored as an HttpSession and restored to the SecurityContextHolder at every request. Here is were all security-related infos are stored for the current session. See here for more details. In general a SecurityContext (at least at a very basic level) exists from the moment you login to the moment you logout. Because it is stored as an HttpSession it expires when the HttpSession expires (again, see the Servlet API specifications for more details)
Luca
When i am trying to use #PreAuthorize("#accessControl.hasActivity('abc')") on spring controller method i am getting Authentication object was not found in security context.
After debugging found that DispactcherServlet is throwing this exception.
i have set SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_THREADLOCAL);
when i first create Authentication object and set in security context
Also tried with SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL); but no luck still it does not work.
I am not able to understand why spring is servlet is throwing this exception
First, doing authentication in a Spring MVC interceptor is odd. Consider using a filter before DispatcherServlet. There is a lot of documented examples.
Secondly, SecurityContextHolder.setStrategyName re-initializes the strategy and possibly makes all previously authentications inaccessible so you must only call it once (if any time), before any authentication is made.
Thirdly, if you want to set the current authentication to be used by #PreAuthorize and are sure what you are doing, use SecurityContextHolder.getContext().setAuthentication(anAuthentication);. In most cases, there is a suitable filter in the API that already does this for you.
I have a web application that is using Spring 3.* and I have a Flash component inside my web application that needs to POST to a Servlet. Inside the Servlet's doPost method I want to check the Spring application context to ensure there is an authenticated session, is this possible?
Well it is very simple, just use
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
I am using Spring Security 3.1 and I have some code which I execute on web application strartup from the init method of a Servlet. Problems is that there is no valid Authentication object at the time my servlet init method execute. My servlet is configured to run after the Spring has been initialized and spring security is full configured.
How do I make the code in my init method run as the anonymous user in spring security?
How about:
SecurityContextHolder.getContext().setAuthentication(new AnonymousAuthenticationToken(key, login, authorities))
where any non-empty string should do as a key, login like "anonymous", authorities - whichever you want him to have, at least one.