Clone wiki

BibSonomy / development / modules / webapp / Spring Security


NOTE: outdated, TODO: please add a documentation for Shibboleth

The following classes are currently involved in user authentication:

  • org.bibsonomy.webapp.controller.actions.UserLoginController
  • org.bibsonomy.webapp.controller.actions.PasswordReminderController
  • org.bibsonomy.webapp.controller.actions.PasswordChangeOnRemindController
  • org.bibsonomy.webapp.controller.actions.ChangePasswordController
  • org.bibsonomy.webapp.util.RequestWrapperContext
  • org.bibsonomy.webapp.controller.actions.DeleteUserController

(all can be found in the webapp module)


spring security

 <bean:beans xmlns=""

    <!-- no filtering for css and js -->
    <intercept-url pattern="/resources/**" filter="none" />
    <!-- api uses own authentication handling -->
    <intercept-url pattern="/api/**" filter="none" />
    <!-- login -->
    <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <!-- restrict admin pages to admins -->
    <intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
    <!-- everything else -->
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

    <remember-me key="CURRENT_USER" token-validity-seconds="3600" /> TODO: ?!?

    <http-basic /> TODO
    <logout invalidate-session="true" logout-success-url="/" logout-url="/logout" />
    <form-login login-page="/login" />

      <!-- only one session; if logged in user logs in a second time the first session becomes invalid -->
      <concurrency-control max-sessions="1" /> <!-- web.xml add listener HttpSessionEventPublischer TODO: or with error error-if-maximum-exceeded="true" and 
      <session-authentication-error-url />-->

    <authentication-provider user-service-ref="authenticationProvider">
      <password-encoder hash="md5"/>

  <bean:bean id="authenticationProvider" class="">
    <custom-authentication-provider />
    <bean:property name="adminLogic" ref="adminLogic" />


    <!-- so sollte Spring security im bibsonomy2-servlet context laufen -->

Please not the init parameter of the DelegatingFilterProxy which moves the Spring Security context into the webapp context.

Spring Security

Filter Overview

The DelegatingFilterProxy loads/delegates to the FilterChainProxy. This proxy knows which filter are responsible for which path. Currently the following filters are registrated:


Spring Security needs infos about our users (z.B. passwort, salt from the database, …). You can implement own UserDetailsServices. They return UserDetails objects. An adapter for our user model was written.

methods used

internal (database)

implemented a UserDetailsService

responsible filter: UsernamePasswordAuthenticationFilter

Open ID



responsible filter: OpenIDAuthenticationFilter




see openID and

<ldap-authentication-provider server-ref="ldap://localhost:10389/"/>

responsible filter: UsernamePasswordAuthenticationFilter

setup test ldap server

Spring Security provides a simple ldap server for testing (see 1)

add the following to the XML configuration

<security:ldap-server port="33389" ldif="classpath:users.ldif" />

Don't forget to delete the other ldapserver from the config!

add the following dependencies to the pom:

<!-- LDAP test server -->

Add a .ldif file to the classpath with the user data:

Test sample
dn: ou=pica-users,dc=ub,dc=organization,dc=de
objectclass: top
objectclass: organizationalUnit
ou: pica-users

dn: uid=111111111,ou=pica-users,dc=ub,dc=uni-kassel,dc=de
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: John Doe
givenName: John
uid: 111111111
sn: Doe
ou: BB 5
employeeNumber: 999999
employeeType: 30
l: Doe
postalCode: 34121
street:: abcdef
carLicense: 0
preferredLanguage: DE
userPassword: test


TODO: document


TODO: document responsible filter: BasicAuthenticationFilter zuständig.

available methods by Spring Security (and extensions)


OAuth Guide

Version 1: yes

Version 2: yes/no (currently in development)

Spring Security OAuth Projekt


autocreate of users

InitUserFilter creates a new user if he did't exist before. :(

background: some actions in BibSonomy need a corresponding user in the "user" table gibt (z.B. settings, joining groups, etc.)

responsible filter:




Because we do not want to save the complete Security context (containing all user details) in the HTTP session, we wrote a special implementation of the SecurtyContextRepository to only save the user name of the currently loggedin user. Configured as follows:

  <security:http (...) security-context-repository-ref="contextRepository">(...)
   <bean id="contextRepository" class="">
    <property name="service" ref="databaseUserService" />


and the corresponding logout handler

  <bean id="securityContextLogoutHandler" class="" />

Brute Force Attacks

no implementation to prevent brute force attacks in Spring Security

wrote class that extends UsernamePasswordAuthenticationFilter and uses our Teergrube implementation users and ips are added by a special AuthenticationFailureHandler implementieren


RememberMeServices Internal

Spring security provides a RememberMeService for this remember me function: TokenBasedRememberMeServices

This RememberMeService saves the username, expiration date and a signature (configurable key + username + hashed password). If no user is loggedin, this services logs in the user of the cookie.

Open ID


Implemented a special user details service:

Attribute Exchange:

  • mail address
  • nickname
  • language
  • name
  • gender
  • country

RememberMeServices OpenID

This implementation uses a cookie to identify the openid user. If the session expired the user is redirected to the OpenID provider (redirects back to the "normal" OpenID filter).



RememberMeServices LDAP

The rememberme service uses a cookie containing the username and the clear password of the user (else we need admin privileges on the LDAP server). The Cookie is encrypted with a private key algorithm.


TODO: update The following values are configurable:

  • active auth methods (internal, openid, basic, ldap, …) + RememberMe services
  • LDAP
  • Server
  • UserDN
  • Search
  • private key for crypting cookie

sources + tutorials

auto create user

Google App Engine