I have a web application login form in spring security 3.1. The login form calls j_spring_security_check onsubmit and I have a custom auth manager that uses github rest api for authenticating login. The problem with this is, when the login information get logged on the server they are logged in plain text.
Posting my security-context.xml file
<!-- Custom bean: Auth Manager -->
<beans:bean id="customAuthmanager" class="com.RRCenter.securityMisc.AuthManager">
</beans:bean>
<!-- Failed login bean -->
<beans:bean id="failedLogin" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" p:defaultFailureUrl="/reuiweb/login?fail=true"></beans:bean>
<!-- Successful login bean -->
<beans:bean id="successLogin" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" p:defaultTargetUrl="/reuiweb/certifybundles?login=true"></beans:bean>
<!-- <beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="passwordEncoder" ref="passwordEncoder"/>
</beans:bean> -->
<!-- <beans:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11" />
</beans:bean> -->
<!-- Actual auth manager -->
<beans:bean id="customAuthFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthmanager"
p:authenticationFailureHandler-ref="failedLogin"
p:authenticationSuccessHandler-ref="successLogin"
p:authenticationDetailsSource-ref="myAuthDetailsSource"
></beans:bean>
<!-- p:authenticationProvider-ref="daoAuthenticationProvider" -->
<!-- Auth Details Bean -->
<beans:bean id="myAuthDetailsSource" class="com.RRCenter.securityMisc.MyAuthDetailsSource"/>
<!-- Successful login bean -->
<beans:bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/reuiweb/login" />
<security:authentication-manager />
<!-- Test users -->
<security:http auto-config="false" request-matcher="ant" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint">
<!-- Enables the 9xxx ports -->
<security:port-mappings>
<security:port-mapping http="80" https="443"/>
<security:port-mapping http="8080" https="8443"/>
<security:port-mapping http="9080" https="9443"/>
</security:port-mappings>
<security:http-basic authentication-details-source-ref="myAuthDetailsSource" />
<!-- Session management -->
<security:session-management invalid-session-url="/reuiweb/login">
<security:concurrency-control max-sessions="99" expired-url="/reuiweb/login" />
</security:session-management>
<!-- Security schema -->
ty:intercept-url pattern="/j_spring_security_check" requires-channel="https"/>
<security:intercept-url pattern="/reuiweb/certifyProvider" access="ROLE_USER,ROLE_ADMIN"/>
<security:intercept-url pattern="/**" access="ROLE_ANONYMOUS, ROLE_USER, ROLE_ADMIN"/>
<security:logout invalidate-session="true" logout-success-url="/reuiweb/allJobs" logout-url="/reuiweb/logout"/>
<security:custom-filter ref="customAuthFilter" position="FORM_LOGIN_FILTER"/>
</security:http>
I read a couple of answers in stack overflow where it mentioned I had to use a user details service along with a password encoder bean
<bean id="authProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="customUserService" />
<property name="passwordEncoder" ref="encoder" />
</bean>
However daoAuthentication provider is for cases where login password is stored in database. Could you let me know how to implement a userdetailsservice when authentication is provided by REST API services?
Aucun commentaire:
Enregistrer un commentaire