Catching Remember-Me Authentication Events in Spring Securit

I’m developing an application in which I need to catch and respond to Authentication events to take appropriate action. Currently, I’m catching just fine the AuthenticationSuccessEvent Spring throws when a user logs in manually. I’m now trying to implement Remember-Me functionality. Logging helped me to figure out the the event I want to catch is the …

via Java Application Development Tutorial » Search Results » ajax:

Catching Remember-Me Authentication Events in Spring Securit

I’m developing an application in which I need to catch and respond to Authentication events to take appropriate action. Currently, I’m catching just fine the AuthenticationSuccessEvent Spring throws when a user logs in manually. I’m now trying to implement Remember-Me functionality. Logging helped me to figure out the the event I want to catch is the InteractiveAuthenticationSuccessEvent. Can someone take a gander at the code below and help me to respond to this new event?
@Override
public void onApplicationEvent(ApplicationEvent event)
log.info(event.toString()); // debug only: keep track of all events
if (event instanceof AuthenticationSuccessEvent)
AuthenticationSuccessEvent authEvent = (AuthenticationSuccessEvent)event;
lock.writeLock().lock();
try
sessionAuthMap.put(((WebAuthenticationDetails)authEvent.getAuthentication().getDetails()).getSessionId(), authEvent.getAuthentication());
finally
lock.writeLock().unlock();

} else if (event instanceof HttpSessionDestroyedEvent)
HttpSessionDestroyedEvent destroyEvent = (HttpSessionDestroyedEvent)event;
lock.writeLock().lock();
try
sessionAuthMap.remove(destroyEvent.getId());
finally
lock.writeLock().unlock();

}
}Additional Information:
I didn’t mention in the original posting that the requirement of storing the Session Id and Authentication object in a Map is due to the fact that I’m using the Google Earth plugin. GE acts as a separate, unrelated user agent, and thus the user’s session information never gets passed to the server by GE. For this reason, I rewrite the request URL from GE to contain the user’s active Session Id (from the aforementioned Map) as a parameter so we can verify that said Session Id is indeed valid for a logged in user. All of this is in place because we have KML which GE needs, but we can’t allow a user to pick up a direct, unprotected URL via Firebug or what have you.
Spring Config: (sorry, SO kinda fudged the formatting)

































……………………………………….

According to the spring docs, “In Spring Security 3, the user is first authenticated by the AuthenticationManager and once they are successfully authenticated, a session is created.”
Instead, you could implement your own AuthenticationSuccessHandler (probably by subclassing SavedRequestAwareAuthenticationSuccessHandler). You can put whatever logic you want in the onAuthenticationSuccess method, so move your existing logic there:
public class MyAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler
// declare and initialize lock and sessionAuthMap at some point…
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws ServletException, IOException
lock.writeLock().lock();
try
sessionAuthMap.put(request.getSession().getId(), authentication);
finally
lock.writeLock().unlock();

super.onAuthenticationSuccess(request, response, authentication);
}
}Then, update your configs so that Spring Security invokes this class during the authentication process. Here’s how:
Step 1: customize the UsernamePasswordAuthenticationFilter which is created by the
element. In particular, put this into your element:
Step 2: define myFilter, and hook MyAuthenticationSuccessHandler into it.
class=”org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter”>

class=”my.MyAuthenticationSuccessHandler”>


class=”org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler”>

For more details, see http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html. Also see the AbstractAuthenticationProcessingFilter docs.
BTW your problem reminds me of OAuth. Essentially you’re issuing an access token to the client as a result of the resource owner authorization.
……………………………………….

Please read the update at bottom of this post
Have you tried just adding another “else if” based on “event instance of InteractiveAuthenticationSuccessEvent”?
@Override
public void onApplicationEvent(ApplicationEvent event)
log.info(event.toString()); // debug only: keep track of all events
if (event instanceof AuthenticationSuccessEvent)
AuthenticationSuccessEvent authEvent = (AuthenticationSuccessEvent)event;
lock.writeLock().lock();
try
sessionAuthMap.put(((WebAuthenticationDetails)authEvent.getAuthentication().getDetails()).getSessionId(), authEvent.getAuthentication());
finally
lock.writeLock().unlock();

} else if (event instanceof InteractiveAuthenticationSuccessEvent)
InteractiveAuthenticationSuccessEvent authEvent = (InteractiveAuthenticationSuccessEvent)event;
lock.writeLock().lock();
try
sessionAuthMap.put(((WebAuthenticationDetails)authEvent.getAuthentication().getDetails()).getSessionId(), authEvent.getAuthentication());
finally
lock.writeLock().unlock();

} else if (event instanceof HttpSessionDestroyedEvent)
HttpSessionDestroyedEvent destroyEvent = (HttpSessionDestroyedEvent)event;
lock.writeLock().lock();
try
sessionAuthMap.remove(destroyEvent.getId());
finally
lock.writeLock().unlock();

}
}UPDATE: Your question is basically, “How can I get one http client (i.e. the Google Earth plugin) to appear authenticated to my site as someone who logged in using another http client (the user’s browser)?” Even if you could get that to work, it doesn’t seem like a good idea, security-wise. Another interesting question would be, “How can I load KML into the Google Earth plugin other than by having the plugin request the KML file over http?” According to their docs, there is a method, parsekml(), which takes a String containing KML data. So in theory you could load the protected KML data using a JavaScript/AJAX call from the user’s browser, which would be compatible with your site’s normal security setup, then pass the returned KML to parsekml().

For more info: Catching Remember-Me Authentication Events in Spring Securit

Java Application Development Tutorial » Search Results » ajax

Catching Remember-Me Authentication Events in Spring Securit

Share this post:

Related Posts

Leave a Comment