tags:

views:

554

answers:

1
+1  Q: 

How to load roles from database for anonymous user in spring security 3 ?

Hello,

I'm using Spring Security 3.0.2 and I can't find a way to load roles of anonymous user from database (I've got dynamic roles where roles can be given to everyone).

I've tried to use a custom anonymousAuthenticationProvider but this provider is never called. Here is my config:

<http auto-config="false">
    <logout invalidate-session="true" logout-success-url="/page/welcome" />
    <remember-me />
    <anonymous username="_GUEST_" granted-authority="ROLE_GUEST" key="anonymousKey" />
    <form-login login-page="/page/login" authentication-failure-url="/page/login?fail=1" default-target-url="/page/welcome" />
</http>

<authentication-manager alias="authenticationManager">
    <authentication-provider ref="anonymousAuthenticationProvider"></authentication-provider>
    <authentication-provider user-service-ref="accountDetails">
        <password-encoder ref="passwordEncoder">
            <salt-source user-property="xxxx" />
        </password-encoder>
    </authentication-provider>
</authentication-manager>

<beans:bean id="accountDetails" class="com.mysite.AccountDetailsImpl" />

<beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
    <beans:constructor-arg value="512" />
</beans:bean>

<beans:bean id="anonymousAuthenticationProvider" class="com.my.site.security.CustomAnonymousAuthenticationProvider">
    <beans:property name="key" value="anonymousKey" />
</beans:bean>

My anonymousAuthenticationProvider is never called so I can't load custom authorities from database. When I log in, my service accountDetails is called and I can load roles from database for the user, I want the same thing for anonymous user.

How can I do it ? thanks

A: 

It seems to be that the easiest way to achieve it is to declare a AnonymousAuthenticationFilter with a custom UserAttribute, which will produce the required authorities:

<http auto-config = "false">
    <anonymous enabled = "false" />
    <custom-filter ref = "myFilter" position = "ANONYMOUS_FILTER" />
    ...
</http>

<beans:bean id = "myFilter" class = "org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
    <beans:property name = "key" value = "anonymousKey" />
    <beans:property name = "userAttribute" ref = "myAttributes" />
</beans:bean>

<beans:bean id = "myAttributes" class = "..." />
axtavt  2010-03-03 16:00:24

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security