File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Spring and the fly likes Spring Security: Authorization with out Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Spring Security: Authorization with out Authentication" Watch "Spring Security: Authorization with out Authentication" New topic
Author

Spring Security: Authorization with out Authentication

Sukumar Gaade
Greenhorn

Joined: Apr 23, 2009
Posts: 21
Hi,

We have a web app say 'app1' where the authentication process is external to our system (based on single sign-on with WAS 6.1) and this cannot be modified. Once the user succeeds the authentication, he gets access to 'app1' and the user credentials are loaded in the session/object, including roles.

What we are trying to achieve is to make use of this information for the authorization process of Spring Security. How to acheive this?

Thanks,
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17260
    
    6

Sukumar Gaade wrote:Hi,

We have a web app say 'app1' where the authentication process is external to our system (based on single sign-on with WAS 6.1) and this cannot be modified. Once the user succeeds the authentication, he gets access to 'app1' and the user credentials are loaded in the session/object, including roles.

What we are trying to achieve is to make use of this information for the authorization process of Spring Security. How to acheive this?

Thanks,


There are UserDetailsService implementations to use Single Sign On. If one of the provided ones doesn't work for your environment, you can always implement your own UserDetailsService.

Mark


Perfect World Programming, LLC - Two Laptop Bag - Tube Organizer
How to Ask Questions the Smart Way FAQ
Sukumar Gaade
Greenhorn

Joined: Apr 23, 2009
Posts: 21
Mark,

Here is what i have in my configuration:

applicationContext.xml
-----------------------


Here is my UserDetailsServiceImpl class:
--------------------------------------


index.jsp
---------


When i access a index.jsp page a login form is presented but i do not want this instead i should be able to get the jsp page directly and depending on user roles i have set in UserDetailsServiceImpl it should display the content accordingly.

I am not sure if i going in the right direction. Could you please guide me in the right direction.

Thanks,
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17260
    
    6

So your UserDetailsService creates a UserDetails object. In your scenario your implementation of UserDetailsService should be going to the SingleSignOn information. If the sign on is done in a different app, then there should be some "rememberMe" service or Cookie that has the necessary information to get the SingleSignOn information via your UserDetailsService.

At this point, you haven't hooked into the SingleSignOn stuff, just redoing authentication in your app, which will always cause a login page to display.

Unfortunately, Spring Security does require understanding what each small object/part is responsible for, which is a bit of a learning curve. But with this design it really does make it simple to pull out a small part and customize it.

I recommend reading the Spring Security documentation a few times. Unfortunately, for all of us it takes a few reads.

Good Luck

Mark
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Spring Security: Authorization with out Authentication