2

I have an application which works with REST services and spring security. I have Basic authentication and I need to have hard and soft login.

Scenario is: when a user logs in he is assigned ROLE_SOFT and has access to the URL which requires ROLE_SOFT, but if he wants to have access to the URL which requires ROLE_HARD, he must send some code or something to a specified web service.

So I read this Acegi Security: How do i add another GrantedAuthority to Authentication to anonymous user

After it I create my:

public class AuthenticationWrapper implements Authentication
{
   private Authentication original;

   public AuthenticationWrapper(Authentication original)
   {
      this.original = original;
   }


   public String getName() { return original.getName(); }
   public Object getCredentials() { return original.getCredentials(); }
   public Object getDetails() { return original.getDetails(); }   
   public Object getPrincipal() { return original.getPrincipal(); }
   public boolean isAuthenticated() { return original.isAuthenticated(); }
   public void setAuthenticated( boolean isAuthenticated ) throws IllegalArgumentException
   {
      original.setAuthenticated( isAuthenticated );
   }

public Collection<? extends GrantedAuthority> getAuthorities() {
    System.out.println("EXISTING ROLES:");
    System.out.println("Size=:"+original.getAuthorities().size());
    for (GrantedAuthority iterable : original.getAuthorities()) {

        System.out.println(iterable.getAuthority());
    }

    GrantedAuthority newrole = new SimpleGrantedAuthority("ROLE_HARD");
    System.out.println("ADD new ROLE:"+newrole.getAuthority());
    Collection<? extends GrantedAuthority> originalRoles = original.getAuthorities();

     ArrayList<GrantedAuthority> temp = new ArrayList<GrantedAuthority>(originalRoles.size()+1);
     temp.addAll(originalRoles);
     temp.add(newrole); 
     System.out.println("RETURN NEW LIST SIZE"+temp.size());
     for (GrantedAuthority grantedAuthority : temp) {
        System.out.println("NEW ROLES:"+grantedAuthority.getAuthority());
    }

    return Collections.unmodifiableList(temp);
}

and controller

@Controller
@RequestMapping("/login")
public class LoginControllerImpl implements LoginController {


    LoginService loginService;


    @RequestMapping(method = RequestMethod.GET, headers = "Accept=application/json")
    @ResponseBody
    public User getUserSettings(){
        loginService=new LoginServiceImpl();
        Authentication auth =   SecurityContextHolder.getContext().getAuthentication();
        AuthenticationWrapper wrapper = new AuthenticationWrapper(auth);
        SecurityContextHolder.getContext().setAuthentication( wrapper );

        return loginService.getUser();
    }


}

But after I change Authentication my session goes down.. Maybe some one knows a better solution...

fap
  • 663
  • 1
  • 5
  • 14
x3mik
  • 61
  • 1
  • 2
  • 5

1 Answers1

0

Just an idea.. If the user logs in the first time using a login form and needs to access a resource witch requires an additional authority then why not redirecting the user back to the login page for a second time ?

    <http auto-config="true" use-expressions="true">
                <intercept-url pattern="/resources/**" access="denyAll"/>
                <intercept-url pattern="/login.do" access="permitAll"/>
                <intercept-url pattern="/role_soft_url_domain/* " access="hasRole('ROLE_SOFT') and fullyAuthenticated"/>
                <intercept-url pattern="/role_hard_url_domain/*" access="hasRole('ROLE_HARD') and fullyAuthenticated"/>             
                <intercept-url pattern="/*" access="hasRole('ROLE_SOFT')"/>
                <form-login login-page="/login.do" />               
                <logout invalidate-session="true"
                    logout-success-url="/"
                    logout-url="/j_spring_security_logout"/>
                </http>
George Papatheodorou
  • 1,539
  • 19
  • 23