7

I have this piece of code

UserDetails userDetails = userDetailsServiceImpl.loadUserByUsername(email);
Authentication authentication = new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword(), userDetails.getAuthorities());
SecurityContext securityContext = SecurityContextHolder.getContext();
securityContext.setAuthentication(authentication);
HttpSession session = request.getSession(true);
session.setAttribute("SPRING_SECURITY_CONTEXT", securityContext);

This is to manually authenticate a user in spring security. My question is where should I place this code? Putting this in service layer forces me to bring the HttpSession object to service layer which AFAIK is bad. I am not sure about how good it is to place the authentication logic in presentation layer either. Anyone with any insights??

Thanks in advance.

shazinltc
  • 3,616
  • 7
  • 34
  • 49
  • erm, servlet filter is standard, have you purposely constrained it to only those two options for some reason? – Affe Mar 18 '13 at 18:28
  • so do I have to write a custom filter? As of now its a plain GET request. I have to accommodate the logic inside that call. – shazinltc Mar 18 '13 at 18:34
  • If you just use basic authentication you can simply configure spring to handle that for you. – benzonico Mar 18 '13 at 18:35
  • @benzonico I have a situation where I have to manually authenticate users. – shazinltc Mar 18 '13 at 18:36
  • There are extension points in Spring Security, you don't have to create an entire filter from scratch. It's different in 2.X or 3.X though. – Affe Mar 18 '13 at 18:52

1 Answers1

14

Refer to Luke Taylor's answer to the question Best practice for getting active user's UserDetails? for the design rationale for creating a custom interface to do this type of things while keeping your code decoupled from the Spring Security. For example, you can write an interface called MyAuthenticator and write the implementation and inject it in your application.

Also if your spring security filters are standard then you don't need to access HttpSession object. Framework filters will take care of it. You have to just write following in your implementation:

UserDetails userDetails = userDetailsServiceImpl.loadUserByUsername(email);

Authentication authentication = new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword(), userDetails.getAuthorities());

SecurityContextHolder.getContext().setAuthentication(authentication);

I would not recommend using "SPRING_SECURITY_CONTEXT" (HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY) as it may change in future versions of the framework.

Community
  • 1
  • 1
Ritesh
  • 7,472
  • 2
  • 39
  • 43
  • Can you clarify what you mean by "spring security filters are standard"? – swbandit Mar 15 '16 at 13:20
  • Meaning that there is no application specific filter customization that would affect that... especially the `SecurityContextPersistenceFilter` that is responsible for populating `SecurityContextHolder`. – Ritesh Mar 15 '16 at 14:43