1

I am working on an application that uses Spring MVC and Spring REST, it is separated into 2 servers, the backend is a Spring REST interface and the frontend is a normal SPRING MVC application. I however have some security requirements especially for the MVC server frontend eg

  1. Only one active session per user
  2. Session timeouts after a specified time
  3. Ability to create new roles from a form on the application and have these roles apply to the URL accessed dynamically at run time not hard coded into the configuration.

My question are

  1. Is there a way to implement a custom login module that will authenticate users but still use Spring Security to manage access control after login and for logout.
  2. All the examples that i have seen uses predefined roles configured in the Spring configuration file, however our requirement is such that we dont know the roles that will be in the system and what URL they will be allowed to access at deployment time, all this is configured via the UI by an admin, so the question is is there any example that i can use to see how this can be handled in Spring Security.
  3. Finally the single session requirement mentioned above.

Any pointers would be very appreciated.

Werner Henze
  • 16,404
  • 12
  • 44
  • 69
Nnamdi Jibunoh
  • 13
  • 2
  • [this](http://stackoverflow.com/questions/6893061/how-to-dynamically-decide-intercept-url-access-attribute-value-in-spring-secur) question will be helpful – Maksym Demidas Jun 14 '13 at 13:10

2 Answers2

1

1) Is there a way to implement a custom login module that will authenticate users but still use Spring Security to manage access control after login and for logout.

Yes. You can provide your own authentication mechanism, by implementing org.springframework.security.authentication.AuthenticationProvider and making it a bean (annotating it or in XML) :

@Service("myAuthenticationProvider") public class TangoAuthenticationProvider implements AuthenticationProvider{

@Override
public boolean supports(Class<?> authentication) {
    //your code
}

@Override
public Authentication authenticate(Authentication authentication)
        throws AuthenticationException {
    //your code
}

Then , and instruct Spring security to use it (in your security context):

<authentication-manager>
    <authentication-provider ref="tangoAuthenticationProvider" />
</authentication-manager>

See this question, and of course spring security doc.

2) Dynamically created roles : I can't answer thios part, no experience with this.

3) Single session requirement

Maybe there is sucha a mechanism built in Spring Security (you' d have to research this), but I think you can implement it using simple session listeners and the afore-mentionned custom authentication mechanism :

  1. Add a session id field to you user entity (or somewhere else, but somehow associate your user id with a session id)

  2. Create a service that allows to store a reference to a session associated with its id, and provide access to the session by its id. You could use a static hashmap, or a singleton, or better, a Spring service bean with roughly the following interface (let's call it the session repository):

    public void putSession(String id, HttpSession session); public HttpSession getSessionById(String id);

  3. In your authentication provider, after a successful login, set the user's session id field to the current session id

  4. In the authentication logic, if the sessionId field of the user is not null either forbid the authentication (then you wouldn't need the reference to the session mechanism thing), or, more likely to be the real requirement, proceed to invalidate the user's other ongoing session, by getting it from the session repository using the user's sessionId field's value
  5. In a session listener : On session created : store session in the session repository On session deleted : if there is a logged in user, clear its sessionId field; clear the reference to the session in order to avoid memory leak.

This is sensitive code in relation to security (cross-session stuff) so it should be written and tested very carefully though !

I hope it helps.

Community
  • 1
  • 1
Pierre Henry
  • 16,658
  • 22
  • 85
  • 105
0

you can use a form to login.

in order to create dynamic role, you could implement the UserDetailsService interface with one method, 

public UserDetails loadUserByUsername(String userId) 
            throws UsernameNotFoundException, DataAccessException
    {
... 
/*
fetch your role information every time the user re-login
you can store the new role in the database and fetch it from here
*/

}

after that, you can configure your spring-security file on authentication/authorization with database role

For the single seesion per user requirement, try to keep all the user - sessionid pair in a database or in an application level hashmap. there is a spring ContextLoaderListener,( HttpSessionListener under the hook) you can therefore add/remove user-sessionid pair from the application from the listener.

hzhsun
  • 114
  • 1
  • 5