An example for pre-authentication would be site minder which sits between browser and web servers and intercepts requests validating user credentials. On successful validation standard request headers are set with user id.
Here we will discuss about configuring spring security to work with pre authentication mechanism where auhentication and/or authorization (like retrieving roles from LDAP) is performed outside spring security.
Spring security can still be used in such scenarios to implement authorization at a url level, method level or with in jsps for example: to display buttons/tabs based on user roles
Below are the 2 interfaces to be implemented in spring security.
MappableAttributesRetriever
reads standard user roles / user groups from database / configuration file
public abstract Set getMappableAttributes();
AuthenticationDetailsSource
Responsible for returning list of roles associated with user at runtime
AbstractPreAuthenticatedAuthenticationDetailsSource implements AuhtenticationDetailsSource and provides base implementation details and can be used in such scenarios. This class is injected with bean implementing MappableAttributesRetriever, & standard roles/groups can be retrieved from this bean.
protected abstract String[] getUserRoles(Object context,
String[] mappableRoles)
At run time context will be passed, in case of web application context will be HttpServletrequest
If the roles/groups associated with user are stored in user session, a look up can be performed against standard roles/groups configured and matching roles can be returned.
No comments:
Post a Comment