Spring Security: Authorization with out Authentication

Hi,

We have a web app say 'app1' where the authentication process is external to our system (based on single sign-on with WAS 6.1) and this cannot be modified. Once the user succeeds the authentication, he gets access to 'app1' and the user credentials are loaded in the session/object, including roles.

What we are trying to achieve is to make use of this information for the authorization process of Spring Security. How to acheive this?

Thanks,

Sukumar Gaade wrote:Hi,

We have a web app say 'app1' where the authentication process is external to our system (based on single sign-on with WAS 6.1) and this cannot be modified. Once the user succeeds the authentication, he gets access to 'app1' and the user credentials are loaded in the session/object, including roles.

What we are trying to achieve is to make use of this information for the authorization process of Spring Security. How to acheive this?

Thanks,

There are UserDetailsService implementations to use Single Sign On. If one of the provided ones doesn't work for your environment, you can always implement your own UserDetailsService.

Mark

Mark,

Here is what i have in my configuration:

applicationContext.xml
-----------------------
<sec:http auto-config='false'> <sec:intercept-url pattern="/login.jsp" filters="none" /> <sec:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN" /> <sec:form-login login-page="/login.jsp" authentication-failure-url="/login?error=true" default-target-url="/login.jsp" login-processing-url="/j_spring_security_check" /> </sec:http> <bean id="entryPoint" class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" /> <bean id="preauthAuthProvider" class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider"> <property name="preAuthenticatedUserDetailsService" ref="userDetailsServiceWrapper" /> <sec:custom-authentication-provider /> </bean> <sec:authentication-manager alias="authenticationManager" /> <bean id="userDetailsServiceWrapper" class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper"> <property name="userDetailsService" ref="userDetailsServiceImpl"></property> </bean> <sec:authentication-provider user-service-ref="userDetailsServiceImpl" /> <bean id="userDetailsServiceImpl" class="com.uss.security.UserDetailsServiceImpl" />

Here is my UserDetailsServiceImpl class:
--------------------------------------
public UserDetails loadUserByUsername(String arg0) throws UsernameNotFoundException, DataAccessException { GrantedAuthority authority = new MyGrantedAuthority("ROLE_USER"); MyUser myUser = new MyUser("csr", "1234", true, true, true, true, new GrantedAuthority[]{authority}, "displayName", 1); return myUser; }

index.jsp
---------
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> <html> <body> <h1>Hello Spring Security</h1> <p> Your principal object is....: <%= request.getUserPrincipal() %> </p> <p> <sec:authorize ifAllGranted="ROLE_ADMIN"> If your Role is ROLE_ADMIN you can see this </sec:authorize> </p> <p> <sec:authorize ifAllGranted="ROLE_USER"> If your Role is ROLE_USER you can see this </sec:authorize> </p> <p> <sec:authorize ifAnyGranted="ROLE_USER, ROLE_ADMIN"> If your Role is ROLE_ADMIN or ROLE_USER you can see this </sec:authorize> </p> </body> </html>

When i access a index.jsp page a login form is presented but i do not want this instead i should be able to get the jsp page directly and depending on user roles i have set in UserDetailsServiceImpl it should display the content accordingly.

I am not sure if i going in the right direction. Could you please guide me in the right direction.

Thanks,

So your UserDetailsService creates a UserDetails object. In your scenario your implementation of UserDetailsService should be going to the SingleSignOn information. If the sign on is done in a different app, then there should be some "rememberMe" service or Cookie that has the necessary information to get the SingleSignOn information via your UserDetailsService.

At this point, you haven't hooked into the SingleSignOn stuff, just redoing authentication in your app, which will always cause a login page to display.

Unfortunately, Spring Security does require understanding what each small object/part is responsible for, which is a bit of a learning curve. But with this design it really does make it simple to pull out a small part and customize it.

I recommend reading the Spring Security documentation a few times. Unfortunately, for all of us it takes a few reads.

Good Luck

Mark