about

Spring Security URL parameter based auth - 26 Oct 2012

search

For some webservices, authentication needs to happen based on URL parameters. That JSON client you built into your iOS app is not going to like rando form login HTML coming in. Let us make Spring bend to our will. This is from a pruned down version of code I wrote based on Implementing REST Authentication I have been using in production.

Just the good parts!

extend OncePerRequestFilter

This guy comes from org.springframework.web.filter.OncePerRequestFilter, which is in the spring-web class library.

public class ParameterAuthFilter extends OncePerRequestFilter {
    
    @Override
    protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response, final FilterChain theFilterChain) throws ServletException, IOException {
        if (isValidAuthBasedOnParams(request)) {
            theFilterChain.doFilter(request, response);
        } else {
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "invalid parameter authentication");
        }
    }
    
}

update web.xml

<filter>
    <filter-name>signatureFilter</filter-name>
    <filter-class>com.vraidsys.auth.ParameterAuthFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>signatureFilter</filter-name>
    <url-pattern>/api/*</url-pattern>
</filter-mapping>

138 words. Post tags: Spring, Security, and parameter.

Post content is written by Jason Zerbe and licensed CC BY-NC 3.0.