Add Principal/authority dynamically for anonymous user

Question

Hi Guru,

I am using spring security 2.x (+spring + struts2) and would like to enable add authority to user dynamically after user submits a form.

I have a protected directory (/protected/dir/) which is protected by ROLE_USER

<sec:intercept-url pattern="/protected/dir/**" access="ROLE_USER, ROLE_ADMIN" />

Which user can access after they login.

I want to make this accessible to the user who submitted the form (without logging in) by adding a temporary ROLE_TEMP to the principal (which may not even exist, since user hasn't been login, so I may have to add that too to the securityContext)

I have tried to access SecurityContext and add new Principal in my controller/action class. but I am unable to get SecurityContext. (I think SecurityContext only run on its own thread and you cannot pass it around, that's why I got NPE)

So what is the best way of doing this?

Please advise Thanks

Answer 1

One way to support anonymous users is to add this filter:

/**
* Detects if there is no Authentication object in the SecurityContextHolder, 
* and populates it with one if needed.
*/
org.springframework.security.providers.anonymous.AnonymousProcessingFilter

The filter has this attribute that will force the filter to remove the anonymous session after the request is complete:

 public void setRemoveAfterRequest(boolean removeAfterRequest);