Tuesday, May 15, 2012

Automatic sign in after registration in Spring Security

I have a program that requires user will be automatically signed in after register so they won't be redirected to login page again after registration.

The following codes actually took me quite long time to figure out after read through many internet posts. Eventually I found some codes from stackoverflow.com.
(BTW, I like the name of the site. Perfectly make sense for a programmer.)

    @RequestMapping(value = "login.asp", method = RequestMethod.GET)
    public String doAutoLogin(@RequestParam(value="Email", required=true) String username,
            @RequestParam(value="Password", required=true) String password, HttpServletRequest request) {
        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password);

        Authentication auth = authenticationManager.authenticate(token);

        // Place the new Authentication object in the security context.

        //this step is import, otherwise the new login is not in session which is required by Spring Security
        request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());

        return "redirect:home.htm";

To register the authentication manager, put this in the same class:

    protected AuthenticationManager authenticationManager;

In the security.xml, you need to set the alias:

    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="registerUserDetailsService">
            <password-encoder hash="md5" />
        <authentication-provider user-service-ref="registerUserDetailsService"/> <!-- this provider is used to login user from other system, which has encrypted password. -->

The second auth provider is almost exactly same as the first, except it doesn't require password encoder. I have this provider because we have a link from other system that has encrypted password, so I cannot have it encrypt again here. Otherwise, the password will be encrypted twice so that use cannot login from that link.
Spring will go through all those providers to validate username and password. As long as one of them passes, user will be able to sign in