java - Spring Security, Boot: replace default DaoAuthenticationProvider -


i trying add user ip verification during login process. if ip address of user not in database application should reject authentication.

the problem: given setup below turns out auth.authenticationprovider() not replacing default daoauthenticationprovider, adds useripauthenticationprovider first authenticationprovider in list.

in case when username/password combination incorrect framework ends calling userdetailsservice.loaduserbyusername() twice, once useripauthenticationprovider, time internal daoauthenticationprovider throws final badcredentialsexception().

the question: there setting can set in spring boot spring security not add it's own internal instance daoauthenticationprovider, use useripauthenticationprovider, has necessary functionality (perhaps somehow replacing authenticationmanagerbuilder able override userdetailsservice() method?).

public <t extends userdetailsservice> daoauthenticationconfigurer<authenticationmanagerbuilder,t> userdetailsservice(         t userdetailsservice) throws exception {     this.defaultuserdetailsservice = userdetailsservice;     return apply(new daoauthenticationconfigurer<authenticationmanagerbuilder,t>(userdetailsservice)); }

configuration: in understanding, userdetailsservice supposed provide necessary details user authenticationprovider can make decision whether authentication successful or not.

since necessary information loaded database, seems natural extend daoauthenticationprovider , add additional verification in overriden additionalauthenticationchecks() method (white-listed ip list in database, loaded part of user object in ipawareuser).

@named @component class useripauthenticationprovider  extends daoauthenticationprovider {     @inject     public useripauthenticationprovider(userdetailsservice userdetailsservice)     {         ...     }      @suppresswarnings("deprecation")     protected void additionalauthenticationchecks(userdetails userdetails,                                                   usernamepasswordauthenticationtoken authentication) throws authenticationexception {         super.additionalauthenticationchecks(userdetails, authentication);          webauthenticationdetails details = (webauthenticationdetails) authentication.getdetails();         ipawareuser ipawareuser = (ipawareuser) userdetails;         if (!ipawareuser.isallowedip(details.getremoteaddress()))         {             throw new disabledexception("login restricted ip: " + details.getremoteaddress());         }     } }

this injected securityconfiguration:

@configuration @enableglobalmethodsecurity(prepostenabled = true) @enablewebsecurity public class securityconfiguration extends websecurityconfigureradapter {      @override     protected void configure(httpsecurity http) throws exception {         http.addfilter(authenticationfilter);          http.authorizerequests()                 .antmatchers("/", "/javascript/**", "/css/**").permitall()                 .antmatchers("...").access("...")                 .anyrequest().authenticated()                 .and().formlogin().loginpage("/").permitall()                 .and().logout().invalidatehttpsession(true).deletecookies("jsessionid").permitall()                 .and().csrf().disable()         ;     }      @inject     private userdetailsservice userdetailsservice;      @inject     private useripauthenticationprovider useripauthenticationprovider;       @inject     private jsonusernamepasswordauthenticationfilter authenticationfilter;      @bean     public jsonusernamepasswordauthenticationfilter authenticationfilter() {         return new jsonusernamepasswordauthenticationfilter();     }      @override     protected void configure(authenticationmanagerbuilder auth) throws exception {         auth.authenticationprovider(useripauthenticationprovider);         auth.userdetailsservice(userdetailsservice);     }      @bean     @override     public authenticationmanager authenticationmanagerbean() throws exception {         return super.authenticationmanagerbean();     }      @bean     public authenticationsuccesshandler authenticationsuccesshandler() throws exception {         return new jsonauthenticationsuccesshandler();     }      @bean     public authenticationfailurehandler authenticationfailurehandler() throws exception {         return new jsonauthenticationfailurehandler();     } }

and application configuration:

@configuration @enableautoconfiguration @componentscan(basepackageclasses = {securityconfiguration.class, datacontroller.class, daoservice.class}) public class application extends springbootservletinitializer {      @override     protected springapplicationbuilder configure(springapplicationbuilder application) {         return application;     } }

any guidance on appreciated.


Comments

Post a Comment

Popular posts from this blog

c# - Validate object ID from GET to POST -

i have method allows user access comment have made on site. have post method lets them update comment. my normal solution send entire comment model through, let them update it, update on database when post back. involve sending commentid through in hiddenfor , can manipulated. how can verify commentid sent in get method same i'm getting in post , not able alter comment wish? how can verify commentid sent in method same i'm getting in post? basically have validate following things in post - user logged-in user. authenticated users post comments. commentid in post , should valid commentid , should present in database. userid associated logged-in user should same userid associated comment . comment should contain userid column, can check @ time of update. to make sure update happens comment has been sent in get - hold commentid in session , in post action compare commentid value in session .
Read more

node.js - Custom Model Validator SailsJS -

when using custom model validator checks record within model. return within spread doesn't seem end control flow. //post.js model /** * custom validator **/ types: { isuservalid: function(user_id) { var promise = require('bluebird'); promise.all([ user.findone({id: user_id}) ]) .spread(function(user) { console.log(user); if (user === null || user === undefined) { console.log('failed'); return false; }else{ console.log('passed'); return true; } }); } }, my response standard validation failed response. { "error": "e_validation", "status": 400, "summary": "1 attribute invalid", "model": "post", "invalidattributes": { "owner": [ { "rule": "isuservalid", ...
Read more

php - Find a regex to take part of Email -

i have following emails need extract part from: bestellnummer xxx: 1 von xxx, 1er pack ------------- anfang der nachricht ------------- foo bar baz foo bar baz // <<<<< need text here ------------- ende der nachricht ------------- ------------- anfang der nachricht ------------- foo bar baz foo bar baz ------------- ende der nachricht ------------- there 0 unlimited occurences of ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- and i'm able extract first part regex: $re = "/------------- .*? -------------.?(.*?).?------------- .*? -------------/s"; but, i'm quite new on learning regex, i'm pretty sure there must better regex extract part (foo bar baz foo bar baz) of text between ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- as can in different languages, i'm using .? to match between hyphens. i...
Read more