Spring Security Requirements and questions

Question

I am working on an application that uses Spring MVC and Spring REST, it is separated into 2 servers, the backend is a Spring REST interface and the frontend is a normal SPRING MVC application. I however have some security requirements especially for the MVC server frontend eg

Only one active session per user
Session timeouts after a specified time
Ability to create new roles from a form on the application and have these roles apply to the URL accessed dynamically at run time not hard coded into the configuration.

My question are

Is there a way to implement a custom login module that will authenticate users but still use Spring Security to manage access control after login and for logout.
All the examples that i have seen uses predefined roles configured in the Spring configuration file, however our requirement is such that we dont know the roles that will be in the system and what URL they will be allowed to access at deployment time, all this is configured via the UI by an admin, so the question is is there any example that i can use to see how this can be handled in Spring Security.
Finally the single session requirement mentioned above.

Any pointers would be very appreciated.

Pierre Henry · Accepted Answer

1) Is there a way to implement a custom login module that will authenticate users but still use Spring Security to manage access control after login and for logout.

Yes. You can provide your own authentication mechanism, by implementing org.springframework.security.authentication.AuthenticationProvider and making it a bean (annotating it or in XML) :

@Service("myAuthenticationProvider") public class TangoAuthenticationProvider implements AuthenticationProvider{
@Override
public boolean supports(Class authentication) {
    //your code
}

@Override
public Authentication authenticate(Authentication authentication)
        throws AuthenticationException {
    //your code
}

Then , and instruct Spring security to use it (in your security context):

See this question, and of course spring security doc.

2) Dynamically created roles : I can't answer thios part, no experience with this.

3) Single session requirement

Maybe there is sucha a mechanism built in Spring Security (you' d have to research this), but I think you can implement it using simple session listeners and the afore-mentionned custom authentication mechanism :

Add a session id field to you user entity (or somewhere else, but somehow associate your user id with a session id)
Create a service that allows to store a reference to a session associated with its id, and provide access to the session by its id. You could use a static hashmap, or a singleton, or better, a Spring service bean with roughly the following interface (let's call it the session repository):

public void putSession(String id, HttpSession session); public HttpSession getSessionById(String id);
In your authentication provider, after a successful login, set the user's session id field to the current session id
In the authentication logic, if the sessionId field of the user is not null either forbid the authentication (then you wouldn't need the reference to the session mechanism thing), or, more likely to be the real requirement, proceed to invalidate the user's other ongoing session, by getting it from the session repository using the user's sessionId field's value
In a session listener : On session created : store session in the session repository On session deleted : if there is a logged in user, clear its sessionId field; clear the reference to the session in order to avoid memory leak.

This is sensitive code in relation to security (cross-session stuff) so it should be written and tested very carefully though !

I hope it helps.

Spring Security Requirements and questions

Answers (2)

Related Questions