Databases
StackOverflow2013
Postsdbo
POSpring Security access to a request, without pre-authentication, from remote access
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POSpring Security access to a request, without pre-authentication, from remote access
    primarykey
    data
    text
    <p>I wrote here because I cannot find a clear answer to my problem:</p> <p>My project is using Spring MVC and Spring Security. I well installed both for a web application (of course using Java). I can access with post and get method, but only after the user has been connected via the usual form of Spring Security.</p> <p>From now, the user do a request on an address like this: </p> <p><code>../../get.request?request=getListCommand</code></p> <p>where get.request is a mapping from Spring MVC. This access is enable only after the user has been authenticated!</p> <p><strong>What I need to do:</strong> <em><strong>Add</em></strong> the possibility to access directly to this request, without has been authenticated previously, using an address like this one for example:</p> <p><code>http://123.123.123.123:123/get.request?request=getListCommand&amp;j_password=myPassword&amp;j_username=myName</code> </p> <p>or</p> <p><code>same thing with the post protocol and the params given (request=getListCommand, j_password=myPassword, j_username=myName)</code></p> <p>Of course the authentication will have to be done previously the request is performed and the result sent back.</p> <p>I searched on many website or directly on the Spring security website. They talk about filterchaining, own user name authentication, RMI; but I don't really found a full example doing what I presented above.</p> <p>Thanks for anyone than can help me that way.</p> <p>ps: I use all default or the most simple configuration for Spring security (no fengshui' style :-))</p> <p>Here is my securit context xml file</p> <pre><code>&lt;http realm="NexCap Up" auto-config="true" access-denied-page="/www/jsp/authentication/accessDenied.jsp" create-session="always" disable-url-rewriting="true"&gt; &lt;port-mappings&gt; &lt;port-mapping http="8084" https="8443"/&gt; &lt;/port-mappings&gt; &lt;intercept-url pattern="/www/jsp/authentication/connexion.jsp" access='IS_AUTHENTICATED_ANONYMOUSLY' requires-channel="https"/&gt; &lt;intercept-url pattern="/www/jsp/authentication/connexionFailed.jsp" access='IS_AUTHENTICATED_ANONYMOUSLY' /&gt; &lt;intercept-url pattern="/www/jsp/authentication/applicationExit.jsp" access='IS_AUTHENTICATED_ANONYMOUSLY' /&gt; &lt;intercept-url pattern="/get.Request" method="GET" access="ROLE_REMOTE" /&gt; &lt;intercept-url pattern="/post.Request" method="POST" access="ROLE_REMOTE" /&gt; &lt;intercept-url pattern="/**" access="ROLE_REMOTE,ROLE_SCRIPT" /&gt; &lt;form-login authentication-failure-url="/www/jsp/authentication/connexionFailed.jsp" login-page="/www/jsp/authentication/connexion.jsp" default-target-url="/www/jsp/index.jsp" always-use-default-target="true"/&gt; &lt;logout logout-success-url="/www/jsp/authentication/applicationExit.jsp" invalidate-session="true"/&gt; &lt;session-management invalid-session-url="/www/jsp/authentication/invalidSession.jsp" session-authentication-error-url = "/www/jsp/authentication/authentificationError.jsp" session-fixation-protection="none"&gt; &lt;!-- Sessions concurrentes --&gt; &lt;concurrency-control error-if-maximum-exceeded="false" expired-url="/www/jsp/authentication/sessionExpired.jsp" max-sessions="1" /&gt; &lt;/session-management&gt; &lt;/http&gt; </code></pre> <p>And the part of the web.xml file about the spring security</p> <pre><code>&lt;security-constraint&gt; &lt;web-resource-collection&gt; &lt;web-resource-name&gt;Security&lt;/web-resource-name&gt; &lt;url-pattern&gt;/*&lt;/url-pattern&gt; &lt;/web-resource-collection&gt; &lt;user-data-constraint&gt; &lt;transport-guarantee&gt;CONFIDENTIAL&lt;/transport-guarantee&gt; &lt;/user-data-constraint&gt; &lt;/security-constraint&gt; &lt;filter&gt; &lt;display-name&gt;springSecurityFilterChain&lt;/display-name&gt; &lt;filter-name&gt;springSecurityFilterChain&lt;/filter-name&gt; &lt;filter-class&gt; org.springframework.web.filter.DelegatingFilterProxy &lt;/filter-class&gt; </code></pre> <p></p> <pre><code>&lt;filter-mapping&gt; &lt;filter-name&gt;springSecurityFilterChain&lt;/filter-name&gt; &lt;url-pattern&gt;/*&lt;/url-pattern&gt; </code></pre> <p></p> <pre><code>&lt;context-param&gt; &lt;param-name&gt;contextConfigLocation&lt;/param-name&gt; &lt;param-value&gt; /WEB-INF/spring/secu-config.xml &lt;/param-value&gt; </code></pre> <p></p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. USuser954156
    1. USuser954156
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POSpring Security access to a request, without pre-authentication, from remote access
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POSpring Security access to a request, without pre-authentication, from remote access
      1. USmkhelif
      1. VTFavorite
    1. COPutting your password in the URL is a terrible idea because many web servers will write URLS to access logs.
      singulars
      1. POSpring Security access to a request, without pre-authentication, from remote access
      1. USams
    2. COIt's not a public network, but for an intranet.
      singulars
      1. POSpring Security access to a request, without pre-authentication, from remote access
      1. USuser954156
    3. COeven though its an on intranet its not secure someone could be standing next to a person who is logged in and see their password in the url, a lot of people use the same password for different systems, so you are really making your users insecure. At the very least you should push the username and password into the http headers. also users will cut and paste urls over im and email which can inadvertently cause problems. Do you want some high ranking manager using your app getting mad because he emailed a link and gave away his username/password
      singulars
      1. POSpring Security access to a request, without pre-authentication, from remote access
      1. USams
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload