Custom authentication filter login without password in Spring Security

As I said in the tutorial about Overview about request processing in Spring Security, the UsernamePasswordAuthenticationFilter class is a filter that will take care of authentication in Spring Security and by default, the user’s username and password information will be used for the authentication process. this. In real projects, you may encounter the requirement that the user is able to log in without using a password but using other information such as a token or something like that … In these cases, we will need to use a custom authentication filter to replace Spring Security’s default logic. How is it in detail? In this tutorial, I will show you how to implement a custom authentication filter in Spring Security for passwordless login!

First, I will create a new Spring Boot project with Spring Security Starter, Spring Web Starter, and Thymeleaf Starter dependencies:

Custom authentication filter login without password in Spring Security

The results are as follows:

Custom authentication filter login without password in Spring Security

As an example for this tutorial, I will implement a feature that allows a user to enter a username and a certain token, hard code, if the correct username and token assigned to that username, then login successfully.


Login form

I will use Thymeleaf with Bootstrap to implement this login form.

First, I will use WebJars to declare the Bootstrap dependency:

The code for the login.html page is located in my src/main/resources/templates folder with Bootstrap as follows:

As you can see, my login form now includes 2 fields, username, and token. By default, the action part of the Spring Security login form will call the “/login” request. I edited this so that it calls another request “/login-token”.

I will create a new ApplicationController class to expose the login page and home page after the user successfully logs in as follows:

The content of the home.html page is as simple as this:

My Spring Security configuration will now look like this:

I have configured Spring Security to use a custom login page instead of its default login page. You can read this tutorial to learn more.

Here, I did not configure the authentication part, so there is only one default user provided by Spring Security which is “user”. The password is displayed in the console log, but here we do not use the password to log in, so you do not need to pay attention.



Custom authentication filter

In Spring Security, the UsernamePasswordAuthenticationFilter class extends from the AbstractAuthenticationProcessingFilter class:

Custom authentication filter login without password in Spring Security

so my custom authentication filter will also extend from the AbstractAuthenticationProcessingFilter class and have the following initial content:

Similar to the UsernamePasswordAuthenticationFilter class, I define a DEFAULT_ANT_PATH_REQUEST_MATCHER with the request URL of “/login-token”, the HTTP method is POST so that my TokenAuthenticationFilter class will handle the login request for all requests matching this information.

Our task is to add code to implement the attemptAuthentication(HttpServletRequest request, HttpServletResponse response) method.

First, I will get the username and token information from the user’s request.

with getUsername() method with the following content:

Then I will validate this information using the validateUsernameAndToken(username, token) method:

Here, first, I will validate whether the username exists in the system or not using the UserDetailsService interface. This is the class that manages the user information of the application. As I said above, I use Spring Security’s default configuration for authentication, so now there is only 1 user in the example, “user”. If the user uses does not exist in the system, we will throw an exception.

For the sake of simplicity, I hard code the associate token with username “user” is “123”, to check the user’s login information. Only username “user” and token “123” will make the user successfully login.

If the user token information entered is not correct, another exception is also thrown.

If the user information entered is correct, we will allow authentication to succeed:

Here, I reuse the UsernamePasswordAuthenticationToken class to build the Authentication object, confirm the login information successfully. We also save the sessionId and logged in IP information of the user using the WebAuthenticationDetailsSource class.

The entire content of the TokenAuthenticationFilter class is as follows:

Now, you can add our new filter to Spring Security to replace its default login filter as follows:

As you can see, I use the addFilterAt() method of the HttpSecurity class to add this custom filter.

In the bean declaration of the TokenAuthenticationFilter class, I also set the default authentication manager of Spring Security. By default, successHandler uses SavedRequestAwareAuthenticationSuccessHandler() class, and failureHandler is SimpleUrlAuthenticationFailureHandler but I need to reset failureUrl so I have to recreate this object to assign failureUrl.

OK, here we are done with the example of this tutorial. You can run the application to check the results.

Mine, if the username is “user” and the token is “123”. The result will be as follows:

Custom authentication filter login without password in Spring Security

If the login information is not correct, the result will be as follows:

Custom authentication filter login without password in Spring Security

Add Comment