spring security using kerberos/spnego authentication

java1977 picture java1977 · Jul 18, 2013 · Viewed 10.2k times · Source

I have got spring security using kerberos authentication successfully working. But it seems the spring framework is invoking KerberosServiceAuthenticationProvider.userDetailsService to get the roles, I would have thought that it gets the roles only once until the session is invalidated. My config looks like

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:beans="http://www.springframework.org/schema/beans"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/util
       http://www.springframework.org/schema/util/spring-util-3.0.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <http entry-point-ref="spnegoEntryPoint" auto-config="false">
        <intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/j_spring_security_check*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
     <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />

     <custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
        <form-login login-page="/login.html" default-target-url="/" always-use-default-target="true"/>
   </http>

   <authentication-manager alias="authenticationManager">
      <authentication-provider ref="kerberosServiceAuthenticationProvider" />
      <authentication-provider ref="kerberosAuthenticationProvider"/>
   </authentication-manager>

    <beans:bean id="spnegoEntryPoint"
  class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />

 <beans:bean id="spnegoAuthenticationProcessingFilter"
  class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
        <beans:property name="failureHandler">
   <beans:bean class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
    <beans:property name="defaultFailureUrl" value="/login.html" />
                <beans:property name="allowSessionCreation" value="true"/>
   </beans:bean>
  </beans:property>
  <beans:property name="authenticationManager" ref="authenticationManager" />
 </beans:bean>

    <beans:bean id="kerberosServiceAuthenticationProvider"
  class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
  <beans:property name="ticketValidator">
   <beans:bean
    class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
    <beans:property name="servicePrincipal" value="HTTP/mywebserver.corpza.corp.co.za"/>
    <beans:property name="keyTabLocation" value="classpath:mywebserver.keytab" />
    <beans:property name="debug" value="true"/>
   </beans:bean>
  </beans:property>
  <beans:property name="userDetailsService" ref="dummyUserDetailsService" />
 </beans:bean>

    <beans:bean id="kerberosAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider">
  <beans:property name="kerberosClient">
   <beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient">
    <beans:property name="debug" value="true" />
   </beans:bean>
  </beans:property>
  <beans:property name="userDetailsService" ref="dummyUserDetailsService" />
 </beans:bean>

    <beans:bean class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
  <beans:property name="debug" value="true" />
  <beans:property name="krbConfLocation" value="/etc/krb5.conf" />
 </beans:bean>

    <beans:bean id="dummyUserDetailsService" class="main.server.DummyUserDetailsService"/>

  </beans:beans>

so my DummyUserDetailsService.loadUserByUsername(Styring username) is invoked each time a secure page is requested, I am loading the user roles from database and don't want to run the query each time a request is made, is there any configuration I need to do to prevent this?

Answer

java1977 picture java1977 · Jul 22, 2013

thanks Michael, I got it working by extending SpnegoAuthenticationProcessingFilter class and overriding doFilter

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) 
            throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        if (skipIfAlreadyAuthenticated) {
            Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
            if (existingAuth != null && existingAuth.isAuthenticated()
                    && (existingAuth instanceof AnonymousAuthenticationToken) == false) {
                chain.doFilter(request, response);
                return;
            }
        }       
        super.doFilter(req, res, chain);
    }