|
|
@@ -126,5 +126,47 @@ org.springframework.security.AccessDeniedException: Access is denied
|
|
|
</p>
|
|
|
</answer>
|
|
|
</faq>
|
|
|
+ <faq>
|
|
|
+ <question>
|
|
|
+ I've configured the "requires-channel" attribute to use HTTPS for my login page and switch back to HTTP afterwards but I just end up back at
|
|
|
+ the login page after authenticating. I'm using Tomcat. Why doesn't it work?
|
|
|
+ </question>
|
|
|
+ <answer>
|
|
|
+ <p>
|
|
|
+ This happens because Tomcat sessions created under HTTPS cannot subsequently be used under HTTP and any session state is lost (including
|
|
|
+ the security context information). Starting in HTTP first should work.
|
|
|
+ </p>
|
|
|
+ </answer>
|
|
|
+ </faq>
|
|
|
+ <faq>
|
|
|
+ <question>
|
|
|
+ I'm forwarding a request to another URL using the RequestDispatcher, but my security constraints aren't being applied. Why not?
|
|
|
+ </question>
|
|
|
+ <answer>
|
|
|
+ Filters are not applied by default to forwards or includes. If you really want the security filters to be applied to forwards and/or includes,
|
|
|
+ then you have to configure these explicitly in your web.xml using the <dispatcher> element, a child element of <filter-mapping>.
|
|
|
+ </answer>
|
|
|
+ </faq>
|
|
|
</part>
|
|
|
+ <part>
|
|
|
+ <title>Common "How To" Requests</title>
|
|
|
+ <faq>
|
|
|
+ <question>I need to login in with more information than just the username. How do I add support for extra login fields (e.g. a company name)?</question>
|
|
|
+ <answer>
|
|
|
+ <p>This question comes up repeatedly in the Spring Security forum so you will find more information there.</p>
|
|
|
+ <p>
|
|
|
+ The submitted login information is processed by an instance of <i>AuthenticationProcessingFilter</i>. You will need to customize this class to handle
|
|
|
+ the extra data field(s). One option is to use your own customized authentication token class (rather than the standard <i>UsernamePasswordAuthenticatioToken</i>),
|
|
|
+ another is simply to concatenate the extra fields with the username (for example, using a ":" as the separator) and pass them in the username property of
|
|
|
+ <i>UsernamePasswordAuthenticatioToken</i>.
|
|
|
+ </p>
|
|
|
+ <p>
|
|
|
+ You will also need to customize the actual authentication process. If you are using a custom authentication token class, for example, you will have to write an
|
|
|
+ <i>AuthenticationProvider</i> to handle it (or extend the standard <i>DaoAuthenticationProvider</i>).
|
|
|
+ If you have concatenated the fields, you can implement your own <i>UserDetailsService</i> which splits them up and loads the appropriated user data to use
|
|
|
+ for authentication.
|
|
|
+ </p>
|
|
|
+ </answer>
|
|
|
+ </faq>
|
|
|
+ </part>
|
|
|
</faqs>
|
Luke Taylor