I'm creating a spring mvc (spring 4) with spring security 3.2. I have a login page which works fine, with custom UserDetailsService. I want to add on website a new functionality, adding some demands. When someone add a demand, he will receive an email with a button through he can manage this demand, including the creation of a session for the website. I want to create him an account.. and give him authetincation from this button's url which will be handled by a controller. How should i do that? create an account with some hardcoded password? and how about the authentication provider? User with demand couldn't login through normal login page. In database that type of accounts will have a different status than the normal accounts. Hope you understand what i need...
Asked
Active
Viewed 124 times
1
-
why dont you create a normal user, give a new role to the user, then in the config specify that the url can be accessed only by the user with that role. – Jos Sep 18 '15 at 16:25
-
through this button i want to create him a session, so he can access any page on website. there will be a lot of poeple which will add demands without havin an account, so they could login throw confirmation emails – andrei_l Sep 18 '15 at 16:52
-
something like this will work for you?? http://stackoverflow.com/a/15119876/3981536 . You can create a user just for similar situations in your db, and then programatically login using its credentials. – Jos Sep 18 '15 at 17:19
-
it helps me but not at all. i don't know how to do that this account cannot be used in normal login..and what password should it have? because the user don't insert anything.. – andrei_l Sep 18 '15 at 17:35
-
you can keep a long random value as the password (to avoid anyone from logging in using that!). Plus you only need to store the specific username in your code. Then you can query the password from your code. And with that credentials you programatically do a login. So that user dont have to insert anything. – Jos Sep 18 '15 at 17:37
-
is there in Spring a way to login user without password? when it has one? – andrei_l Sep 18 '15 at 17:40
-
ok, can i vote you somehow? – andrei_l Sep 18 '15 at 17:45
-
summed up an answer. :) – Jos Sep 18 '15 at 17:51
1 Answers
0
You can try creating a common user for all such use cases (called guest or similar). If you have validated a user using the trusted url which they have provided, you can query the database using the hard coded username (guest), and get the authentication details like passoword, roles etc. Then you can programatically authenticate the user. In such a way, user only has to provide you a url, and your code can fetch a real authentication detail from the db.
For the authentication part, you may refer to the below link. stackoverflow.com/a/15119876/3981536
