Spring Security and JSON Authentication

by

According with Kevin suggestions,
and after reading this posts: 1, 2, documentation 3, and thanks to this blog post,
I wrote my own FORM_LOGIN_FILTER to directly manage JSON before authentication.
I paste my code for the community.

The goal is to grant both the classical browser form POST authentication with JSON based authentication. Also in JSON authentication I want to avoid the redirect to loginSuccesful.htm

In context:

<security:http use-expressions="true" auto-config="false" entry-point-ref="http403EntryPoint">      
    <security:intercept-url pattern="/logs/**" access="denyAll" />
    <!-- ... All other intercept URL -->

    <security:custom-filter ref="CustomUsernamePasswordAuthenticationFilter" position="FORM_LOGIN_FILTER "/>
    <security:logout
            invalidate-session="true"
            logout-success-url="/LogoutSuccessful.htm"
            delete-cookies="true"
    />
    <security:session-management>
        <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
    </security:session-management>
    <security:access-denied-handler error-page="/accessDenied.htm" />
</security:http>

<bean id="CustomUsernamePasswordAuthenticationFilter" class="path.to.CustomUsernamePasswordAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationSuccessHandler" ref="customSuccessHandler"/>
    <property name="authenticationFailureHandler" ref="failureHandler"/>
    <property name="filterProcessesUrl" value="/j_spring_security_check"/>
    <property name="usernameParameter" value="j_username"/>
    <property name="passwordParameter" value="j_password"/>
</bean>

<bean id="customSuccessHandler" class="path.to.CustomAuthenticationSuccessHandler">
    <property name="defaultTargetUrl" value="/login.htm" />
    <property name="targetUrlParameter" value="/LoginSuccessful.htm" />
</bean>

<bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <property name="defaultFailureUrl" value="/login.htm" />
</bean>

<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />

CustomUsernamePasswordAuthenticationFilter class:

public class CustomUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter{
    private String jsonUsername;
    private String jsonPassword;

    @Override
    protected String obtainPassword(HttpServletRequest request) {
        String password = null; 

        if ("application/json".equals(request.getHeader("Content-Type"))) {
            password = this.jsonPassword;
        }else{
            password = super.obtainPassword(request);
        }

        return password;
    }

    @Override
    protected String obtainUsername(HttpServletRequest request){
        String username = null;

        if ("application/json".equals(request.getHeader("Content-Type"))) {
            username = this.jsonUsername;
        }else{
            username = super.obtainUsername(request);
        }

        return username;
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response){
        if ("application/json".equals(request.getHeader("Content-Type"))) {
            try {
                /*
                 * HttpServletRequest can be read only once
                 */
                StringBuffer sb = new StringBuffer();
                String line = null;

                BufferedReader reader = request.getReader();
                while ((line = reader.readLine()) != null){
                    sb.append(line);
                }

                //json transformation
                ObjectMapper mapper = new ObjectMapper();
                LoginRequest loginRequest = mapper.readValue(sb.toString(), LoginRequest.class);

                this.jsonUsername = loginRequest.getUsername();
                this.jsonPassword = loginRequest.getPassword();
            } catch (Exception e) {
                e.printStackTrace();
            }
        }

        return super.attemptAuthentication(request, response);
    }
}

CustomAuthenticationSuccessHandler class:

public class CustomAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {

    public void onAuthenticationSuccess(
            HttpServletRequest request,
            HttpServletResponse response,
            Authentication auth
    )throws IOException, ServletException {

        if ("application/json".equals(request.getHeader("Content-Type"))) {
            /*
             * USED if you want to AVOID redirect to LoginSuccessful.htm in JSON authentication
             */         
            response.getWriter().print("{\"responseCode\":\"SUCCESS\"}");
            response.getWriter().flush();
        } else {
            super.onAuthenticationSuccess(request, response, auth);
        }
    }
}

More Related Contents:

  1. Spring MVC Multipart Request with JSON
  2. Spring MVC – HttpMediaTypeNotAcceptableException
  3. Custom HttpMessageConverter with @ResponseBody to do Json things
  4. REST with Spring and Jackson full data binding
  5. JsonMappingException: could not initialize proxy – no Session
  6. Spring @ResponseBody Jackson JsonSerializer with JodaTime
  7. Filter invoke twice when register as Spring bean
  8. When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
  9. No serializer found for class org.hibernate.proxy.pojo.javassist.Javassist?
  10. How to disable spring security for particular url
  11. Spring Boot CORS filter – CORS preflight channel did not succeed
  12. JSON parameter in spring MVC controller
  13. How to enable HTTP response caching in Spring Boot
  14. Parsing JSON in Spring MVC using Jackson JSON
  15. How to get the current logged in user object from spring security?
  16. how to display custom error message in jsp for spring security auth exception
  17. spring web, security + web.xml + mvc dispatcher + Bean is created twice
  18. How to return JSON data from spring Controller using @ResponseBody
  19. getting exception: No bean named ‘springSecurityFilterChain’ is defined
  20. How to apply Spring Security filter only on secured endpoints?
  21. Spring RequestMapping for controllers that produce and consume JSON
  22. Spring Security 3.2 CSRF disable for specific URLs
  23. Could not write JSON: Infinite recursion (StackOverflowError); nested exception spring boot
  24. How do I customize default error message from spring @Valid validation?
  25. Modify default JSON error response from Spring Boot Rest Controller
  26. Spring MVC 4: “application/json” Content Type is not being set correctly
  27. Spring-MVC 406 Not Acceptable instead of JSON Response
  28. include class name in all objects serialized by jackson
  29. Spring MVC PATCH method: partial updates
  30. Spring MVC: How to modify json response sent from controller

Leave a Comment