Spring Security access to a request, without pre-authentication, from remote access

Question

I wrote here because I cannot find a clear answer to my problem:

My project is using Spring MVC and Spring Security. I well installed both for a web application (of course using Java). I can access with post and get method, but only after the user has been connected via the usual form of Spring Security.

From now, the user do a request on an address like this:

../../get.request?request=getListCommand

where get.request is a mapping from Spring MVC. This access is enable only after the user has been authenticated!

What I need to do: Add the possibility to access directly to this request, without has been authenticated previously, using an address like this one for example:

http://123.123.123.123:123/get.request?request=getListCommand&j_password=myPassword&j_username=myName

or

same thing with the post protocol and the params given (request=getListCommand, j_password=myPassword, j_username=myName)

Of course the authentication will have to be done previously the request is performed and the result sent back.

I searched on many website or directly on the Spring security website. They talk about filterchaining, own user name authentication, RMI; but I don't really found a full example doing what I presented above.

Thanks for anyone than can help me that way.

ps: I use all default or the most simple configuration for Spring security (no fengshui' style :-))

Here is my securit context xml file

<http realm="NexCap Up"
        auto-config="true"
        access-denied-page="/www/jsp/authentication/accessDenied.jsp"
        create-session="always"
        disable-url-rewriting="true">          
            <port-mappings>
                <port-mapping http="8084" https="8443"/>
            </port-mappings>        

            <intercept-url pattern="/www/jsp/authentication/connexion.jsp"                    
                access='IS_AUTHENTICATED_ANONYMOUSLY' requires-channel="https"/>

            <intercept-url pattern="/www/jsp/authentication/connexionFailed.jsp" 
                access='IS_AUTHENTICATED_ANONYMOUSLY'  />

            <intercept-url pattern="/www/jsp/authentication/applicationExit.jsp" 
                access='IS_AUTHENTICATED_ANONYMOUSLY'  /> 


          <intercept-url 
                pattern="/get.Request" 
                method="GET"
                access="ROLE_REMOTE" />

             <intercept-url 
                pattern="/post.Request"  
                method="POST"
                access="ROLE_REMOTE" />

            <intercept-url pattern="/**" 
                access="ROLE_REMOTE,ROLE_SCRIPT"  />
       <form-login 
            authentication-failure-url="/www/jsp/authentication/connexionFailed.jsp"
            login-page="/www/jsp/authentication/connexion.jsp"
            default-target-url="/www/jsp/index.jsp"
            always-use-default-target="true"/>

        <logout
            logout-success-url="/www/jsp/authentication/applicationExit.jsp"
            invalidate-session="true"/>

        <session-management
            invalid-session-url="/www/jsp/authentication/invalidSession.jsp"
            session-authentication-error-url = "/www/jsp/authentication/authentificationError.jsp"
            session-fixation-protection="none">

            <!-- Sessions concurrentes -->
            <concurrency-control 
                error-if-maximum-exceeded="false"
                expired-url="/www/jsp/authentication/sessionExpired.jsp"
                max-sessions="1" />

        </session-management>

    </http>

And the part of the web.xml file about the spring security

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Security</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>


<filter>
  <display-name>springSecurityFilterChain</display-name>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>
      org.springframework.web.filter.DelegatingFilterProxy
  </filter-class>

<filter-mapping>
   <filter-name>springSecurityFilterChain</filter-name>
   <url-pattern>/*</url-pattern>

<context-param>
   <param-name>contextConfigLocation</param-name>
   <param-value>
       /WEB-INF/spring/secu-config.xml
   </param-value>

Answer 1

Assuming that there is a applicationContext-security.xml in your WEB-INF.
It would be great if you can post your applicationContext-security.xml
And also that you have almost default configuration for spring security.

I would recommend following.

First change your url to /public/get.request?request=getListCommand

Then add following snippet to applicationContext-security.xml

<http use-expressions="true">
 <intercept-url pattern="/public/**" access="permitAll" />
 <!-- You can add n number of filters here-->
</http>

What it will do is bypass security for all the paths under /public/. Reason for changing URL is that you might not want your whole application to be public.

Below is Example of my XML.
Please also note that my authentication provider is custom so dont be confused with that. All you need is to look at my <http> section and you will get an idea how to implement in your application.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <global-method-security pre-post-annotations="enabled" jsr250-annotations="enabled" secured-annotations="enabled">
        <!-- AspectJ pointcut expression that locates our "post" method and applies security that way
        <protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
        -->
    </global-method-security>

    <http use-expressions="true">
        <intercept-url pattern="/favicon.ico" access="permitAll" />
        <intercept-url pattern="/static/**" access="permitAll"/>
        <intercept-url pattern="/login.jsp*" access="permitAll"/>
        <intercept-url pattern="/Admin/**" access="hasAnyRole('ROLE_SUPER_USER')"/>
        <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" />
        <http-basic/>
        <logout logout-success-url="/login.jsp"/>
        <remember-me user-service-ref="loginService" />
        <!-- Uncomment to limit the number of sessions a user can have -->
     </http>

    <authentication-manager>
        <authentication-provider user-service-ref="loginService">
         <password-encoder hash="md5"/>
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="loginService" class="com.indyaah.service.LoginService">
    </beans:bean>
    <beans:bean id="authService" class="com.indyaah.service.AuthService" />
</beans:beans>

As you can see I allow login.jsp and my static content (images/js/css/etc.) to be accessed anonymously meaning without logging in.

Hope this help.

Let me know if you need further help in understanding.