BBQjs

Spring Security Integration

Setup

Declare bbq-spring-security-integration as a dependency of your project:

<dependency>
    <groupId>org.bbqjs</groupId>
    <artifactId>bbq-spring-security-integration</artifactId>
    <version>${bbq.version}</version>
</dependency>

Authentication

bbq includes support for authenticating via a JSON request instead of the normal HTTP form submission.

If you use the JsonHttpRequestFilter class to wrap incoming JSON requests in a JsonHttpServletRequest, you will be able to use ServletRequest#getParameter to extract the principal and password from the request.

Assuming that your AuthenticationFilter processes the url /authenticate, in your web.xml, declare:

<!-- Filter that wraps HttpServletRequest objects so we can use ServletRequest#getParameter -->
<filter>
    <filter-name>httpServletRequestWrapper</filter-name>
    <filter-class>org.bbqjs.spring.servlet.JsonHttpRequestFilter</filter-class>
</filter>

<!-- Only needed by Spring Security as Jackson normally handles JSON serialization/deserialization -->
<filter-mapping>
    <filter-name>httpServletRequestWrapper</filter-name>
    <url-pattern>/authenticate</url-pattern>
</filter-mapping>

You can then use the Spring UsernamePasswordAuthenticationFilter as per normal:

<!-- Tries to extract log in information from an incoming request -->
<bean id="usernamePasswordAuthenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <property name="filterProcessesUrl" value="/authenticate"/>
    <property name="usernameParameter" value="principal"/>
    <property name="passwordParameter" value="credential"/>
    ... more configuration here ...
</bean>

Submitting an authentication request to Spring Security is then a case of:


new bbq.ajax.JSONRequest({
    url: "/authenticate",
    args: {
        principal: "username",
        credential: "password"
    },
    onSuccess: function() {
        // log in succeeded, do something
    },
    onFailure: function() {
        // log in failed, do something
    }
});

Handlers

Two strategies for handling authentication/access events are supplied - status codes and headers.

Headers

Header based handlers will send X-BBQ-ResponseType headers with integer values corresponding to the the event in question. All header names and values are configurable. See HeaderBasedAccessDeniedHandler, HeaderBasedAuthenticationFailureHandler and HeaderBasedAuthenticationSuccessHandler for more information.

Status codes

Status code based handlers send an HTTP status code in response to the authentication event. See StatusCodeBasedAccessDeniedHandler, StatusCodeBasedAuthenticationFailureHandler and StatusCodeBasedAuthenticationSuccessHandler for more.