Hi Joseph, Thanks so much for your help. I'm having trouble getting this to work. In my case the methods on PreAuthenticationFilter & CustomUserDetailsService are never called.
Here is my code/config: applicationContext.xml <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/ beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <!-- Setup Spring Security --> <http auto-config="false" entry-point-ref="entryPoint" access- denied-page="/unprotected/sso_Error.jsp"> <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/> <!-- These resources are protected --> <custom-filter position="PRE_AUTH_FILTER" ref="preAuthProcessingFilter"/> </http> <!-- Users get this on auth failure --> <beans:bean id="entryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/ > <!-- Authorization filter does user authorization --> <beans:bean id="preAuthProcessingFilter" class="com.qsd.callcenterquestionnaire.server.security.auth.PreAuthenticationFilter"> <beans:property name="authenticationManager" ref="authenticationManager"/> </beans:bean> <authentication-manager alias="authenticationManager"> <authentication-provider ref="preAuthAuthProvider"/> </authentication-manager> <!-- Custom preAuthAuthProvider --> <beans:bean id="preAuthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider"> <beans:property name="preAuthenticatedUserDetailsService"> <beans:bean id="preAuthenticationUserDetailsService" class="com.qsd.callcenterquestionnaire.server.security.auth.CustomUserDetailsService"/ > </beans:property> </beans:bean> <global-method-security secured-annotations="enabled"/> </beans:beans> public class CustomUserDetailsService implements AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> { public CustomUserDetailsService() { } @Override public UserDetails loadUserDetails(final PreAuthenticatedAuthenticationToken username) throws UsernameNotFoundException { return new UserDetails() { @Override public Collection<? extends GrantedAuthority> getAuthorities() { final ArrayList<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>(); grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_USER")); return grantedAuthorities; } @Override public String getPassword() { return (String)username.getCredentials(); } @Override public String getUsername() { return (String)username.getPrincipal(); } @Override public boolean isAccountNonExpired() { return true; } @Override public boolean isAccountNonLocked() { return true; } @Override public boolean isCredentialsNonExpired() { return true; } @Override public boolean isEnabled() { return true; } }; } } public class PreAuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter { public PreAuthenticationFilter() { } @Override protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) { return "dave"; } @Override protected Object getPreAuthenticatedCredentials(HttpServletRequest request) { return "password"; } } I assume then that RPC methods are secured via @Secured({"ROLE_USER","ROLE_ADMIN"})? Also I assume these have to be Spring managed beans, I've not used Spring with GWT before, how do you tell GWT to use Spring to create these services? Any help is greatly appreciated. Thanks, -Dave On Jun 16, 12:18 pm, Joseph Lust <lifeofl...@gmail.com> wrote: > Dave, > > Since it is an enterprise application, authentication is handled by a SSO > service which hands off to our application, so there is no "remember me" > functionality. The less work your application has to do the better, just > like using Gmail/fb auth on a website. > > Here is the redacted and comment Spring Security config: > > Note that this is just a standard Spring Security config, but that the > custom preauthoization filter is where the magic happens. That is where > you'd do the lookup of your users to get entitlements and then store those > in their session. These are what the Spring Method level security will > check against. Checkout the famously verbose Spring Documentation on > this<http://static.springsource.org/spring-security/site/docs/3.0.x/refere...>. > Basically you > just extend some of their interfaces and classes per the instructions and > you should be off to the races. > > Sincerely, > Joseph > > <?xml version="1.0" encoding="UTF-8"?><beans:beans > xmlns="http://www.springframework.org/schema/security" > xmlns:beans="http://www.springframework.org/schema/beans" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xmlns:p="http://www.springframework.org/schema/p" > xsi:schemaLocation= > "http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-3.0.xsd > http://www.springframework.org/schema/security > http://www.springframework.org/schema/security/spring-security-3.0.xsd"> > > <!-- Setup Spring Security --> > <http auto-config="false" entry-point-ref="entryPoint" > access-denied-page="/unprotected/sso_Error.jsp"> > <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/> <!-- > These resources are protected --> > <custom-filter position="PRE_AUTH_FILTER" > ref="preAuthProcessingFilter"/> > </http> > > <!-- Users get this on auth failure --> > <beans:bean id="entryPoint" > > class="org.springframework.security.web.authentication.Http403ForbiddenEntr > yPoint"/> > > <!-- Authorization filter does user authorization --> > <beans:bean id="preAuthProcessingFilter" > class="com.foo.custom.PreAuthenticationFilter"> > <beans:property name="authenticationManager" > ref="authenticationManager"/> > </beans:bean> > > <authentication-manager alias="authenticationManager"> > <authentication-provider ref="preAuthAuthProvider"/> > </authentication-manager> > > <!-- Custom preAuthAuthProvider --> > <beans:bean id="preAuthAuthProvider" > > class="org.springframework.security.web.authentication.preauth.PreAuthentic > atedAuthenticationProvider"> > <beans:property name="preAuthenticatedUserDetailsService" > > <beans:bean id="preAuthenticationUserDetailsService" > class="com.foo.custom.UserDetailsService" /> > </beans:property> > </beans:bean> -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.