An authorization filter through tokens was written in the project, but without using spring-security.

This is the normal RestAuthenticationFilter class, which is inherited from Filter and is recorded in the property web.xml .

Now you need to finish the security guard, write some config file that would work like spring-context.xml . Checked the user to the right of access to a particular url.

In addition, in spring-security, you can check which user is currently logged in with the Principal , but in this case this option will not work.

Questions:

  1. How in such a RESTful Api with a custom security officer, add your config file, which will set the users access to the materials?

  2. How can I check such a system, the logged in user and give all the information about him (username, password, email ....)?

Update

 @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filter) throws IOException, ServletException { final HttpServletRequest httprequest = (HttpServletRequest) request; final HttpServletResponse httpresponse = (HttpServletResponse) response; final HttpSession session = httprequest.getSession(); boolean isNewSession = session.isNew(); AccountInfo accountInfo = null; if (isNewSession) { log.debug("New Session get user Info"); try { accountInfo = this.isAuthenticated(httprequest, httpresponse); if (accountInfo != null) { session.setAttribute("accountInfo", accountInfo); request.setAttribute("accountInfo", accountInfo); request.setAttribute(SM_USER, accountInfo.getUserName()); System.out.println("AND WHERE IS THIS FUCKIN USER?!!!!"); } else { httpresponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED); } } catch (Exception e) { httprequest.setAttribute("message", "Please contact your administrator to get an access to this application " + e.getMessage()); return; } } else { accountInfo = (AccountInfo) session.getAttribute("accountInfo"); if (accountInfo == null || accountInfo.getAccountId() == null || accountInfo.getAccountId() <= 0) { // ReValidate try { accountInfo = this.isAuthenticated(httprequest, httpresponse); if (accountInfo != null) { session.setAttribute("accountInfo", accountInfo); request.setAttribute("accountInfo", accountInfo); request.setAttribute(SM_USER, accountInfo.getUserName()); } else { httpresponse .setStatus(HttpServletResponse.SC_UNAUTHORIZED); httprequest.setAttribute("message", "Please contact your administrator to get an access to this application " + "Invalid User Info"); } } catch (Exception e) { httprequest.setAttribute("message", "Please contact your administrator to get an access to this application " + e.getMessage()); return; } } else { request.setAttribute(SM_USER, accountInfo.getUserName()); request.setAttribute("accountInfo", session.getAttribute("accountInfo")); accountInfo = (AccountInfo) session.getAttribute("accountInfo"); log.debug("user in old Session"); } } // Get user from session // Set User Context info try { if (session.getAttribute("accountInfo") != null) { AccountService acctService = springContext .getBean(AccountService.class); AccountInfo info = (AccountInfo) session .getAttribute("accountInfo"); if (info.getAccountId() != null) { Account val = acctService.get(accountInfo.getAccountId()); ProfileContext.setAccountContext(val); } // Set this user Name to log4j MDC MDC.put("userName", AbstractServiceModel .formatUserDetails(ProfileContext.getProfileContext())); } } catch (Exception e) { log.debug("Invalid user information" + e); return; } if (httprequest.getRequestURI() != null && httprequest.getRequestURI().contains("logoutApp")) { session.invalidate(); } filter.doFilter(request, response); // End setting // remove context this.destroy(); }

    1 answer 1

    1. Just come up with your own configuration format: xml, json, properties - everything you want. The config can correlate, for example, user roles and URLs allowed by it. When the application starts, load it into memory. The filter checks each request for compliance with the current user's role as a URL.

    2. Do the same as implemented in Spring Security. They have a class SecurityContextHolder with a static thread-local field that stores information about the user. This field is filled in the filter after authentication and is available in the current stream from any class. If simplified:

       public class SecurityContextHolder { private static final ThreadLocal<UserInfo> userInfoHolder = new ThreadLocal<>(); public static UserInfo getUserInfo() { return (UserInfo)userInfoHolder.get(); } public static void setUserInfo(UserInfo userInfo) { userInfoHolder.set(userInfo); } }
    • on the second question, is it just necessary to create this class and transfer your entiti to ThreadLocal , and then call this class in the controller and pull the user context from it? Right? - raviga
    • Yes something like that. - Nofate
    • one more question on the first. in this project, and each user has his own role, which is a separate enum (ROLE_ADMIN, ROLE_DOCTOR, etc.). I found custom security option on the docks using <security-constraint> tags in web.xml . But how to make these configurations understand what role the user has? Where does it check it? I log in as admin, but I still don't get access rights - raviga
    • If you use <security-constraint> , then the container (Tomcat) deals with rights verification and the meaning disappears in your custom security guard. - Nofate
    • 2
      @ trembling11 stackoverflow.com/questions/26777083/… - Sergey