Spring Security - Pre-Authentication

Using spring security is a scenario where we need to check for users pre-authentication while accessing the application. For example valid user logged-in to ABC application, and inside ABC application there are XYZ services running which require user authentication, but users who access ABC application should not require to authenticate again by XYZ services when they access through ABC application, just need to pre-authenticate by earlier login details. 
Here Spring Security Pre-Authentication plays the role for us. For more details and methods and classes please refer to Spring docs link
Directly lets see simple example to authenticate user based on request param. Here all services and pages are filtered through security chain and only valid users can access like "admin", "dba" and "user".


 <name>Spring Security By URL</name>
 <!-- Annotation are configuring the application -->
 <mvc:annotation-driven />

 <!-- Scan this package for all config annotations -->
 <context:component-scan base-package="com.app.controller" />

 <security:http create-session="never" use-expressions="true"
  auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
  <security:intercept-url pattern="/jsp/access-denied.jsp"
   access="permitAll()" />
  <security:intercept-url pattern="/accessdenied.do"
   access="permitAll()" />
  <security:intercept-url pattern="/**"
   access="hasRole('ROLE_USER')" />
  <security:custom-filter position="PRE_AUTH_FILTER"
   ref="preAuthFilter" />
   session-fixation-protection="none" />

 <bean id="preAuthFilter" class="com.app.filter.UrlParametersAuthenticationFilter">
  <property name="authenticationManager" ref="appControlAuthenticationManager" />

 <bean id="preAuthenticationProvider"
  <property name="preAuthenticatedUserDetailsService" ref="UserDetailsServiceImpl" />

 <security:authentication-manager alias="appControlAuthenticationManager">
   ref="preAuthenticationProvider" />

 <bean id="UserDetailsServiceImpl" class="com.app.security.UserDetailsServiceImpl" />

 <bean id="preAuthenticatedProcessingFilterEntryPoint" class="com.app.security.AuthenticationEntryPointDenied" />

 <display-name>Spring Security By URL</display-name>











  <title>Invalid user</title>
  <h1>Oops, Access denied....</h1> 


package com.app.filter;

import javax.servlet.http.HttpServletRequest;

import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;

public class UrlParametersAuthenticationFilter  extends AbstractPreAuthenticatedProcessingFilter {

 protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
  //Checking for no. of URL params
  if (request.getParameterMap().size() == 1) {
         return true;
     return false;

 protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
  String[] credentials = new String[1];
  //Getting authentication credentials
  credentials[0] = request.getParameter("param1");
     return credentials;



package com.app.security;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;

public class AuthenticationEntryPointDenied implements AuthenticationEntryPoint {

 public void commence(HttpServletRequest request,
   HttpServletResponse response, AuthenticationException authException)
   throws IOException, ServletException {
  // Redirecting service to access denied page for invalid users
  RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
  redirectStrategy.sendRedirect(request, response, "/accessdenied.do");



package com.app.security;

import java.util.ArrayList;
import java.util.Collection;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

public class UserDetailsServiceImpl implements AuthenticationUserDetailsService {

 public UserDetails loadUserDetails(Authentication token)
   throws UsernameNotFoundException {
  UserDetails userDetails = null;

  String[] credentials = (String[]) token.getCredentials();
  boolean principal = Boolean.valueOf(token.getPrincipal().toString());

  if (credentials != null && principal == true) {
   String name = credentials[0];

   // Setting user Authorities
   if ("admin".equalsIgnoreCase(name)) {
    userDetails = getAdminUser(name);
   } else if ("dba".equalsIgnoreCase(name)) {
    userDetails = getDBAUser(name);
   } else if ("user".equalsIgnoreCase(name)) {
    userDetails = getUserUser(name);

  if (userDetails == null) {
   throw new UsernameNotFoundException("Invalid user - "
     + credentials[0]);

  return userDetails;

 private UserDetails getAdminUser(String username) {
  Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
  grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
  grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_DBA"));
  grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_ADMIN"));
  return new User(username, "notused", true, true, true, true,

 private UserDetails getDBAUser(String username) {
  Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
  grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
  grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_DBA"));
  return new User(username, "notused", true, true, true, true,

 private UserDetails getUserUser(String username) {
  Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
  grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
  return new User(username, "notused", true, true, true, true,


package com.app.model;

import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;

public class Employee {
 private String firstName;
 private String lastName;
 private String role;
 public String getFirstName() {
  return firstName;
 public void setFirstName(String firstName) {
  this.firstName = firstName;
 public String getLastName() {
  return lastName;
 public void setLastName(String lastName) {
  this.lastName = lastName;
 public String getRole() {
  return role;
 public void setRole(String role) {
  this.role = role;


package com.app.model;

import java.util.Collection;

import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;

public class Employees 
 private Collection<Employee> employees;

 public Collection<Employee> getUsers() {
  return employees;

 public void setUsers(Collection<Employee> employees) {
  this.employees = employees;


package com.app.controller;

import java.util.ArrayList;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;

import com.app.model.Employee;
import com.app.model.Employees;

public class DemoController 
 @RequestMapping(method = RequestMethod.GET,  headers="Accept=application/xml")
 public @ResponseBody Employees getEmployees() 
  String userRole = getUserRole();
  System.out.println("User Role : "+userRole);
  Employee emp1 = new Employee();
  Employee emp2 = new Employee();
  }else if(userRole.equals("dba")){
  }else if(userRole.equals("user")){
  Employees emps = new Employees();
  emps.setUsers(new ArrayList<Employee>());
  return emps;
 private String getUserRole(){
  String userRole = "";
  SecurityContext context = SecurityContextHolder.getContext();
        Authentication authentication = context.getAuthentication();
        for (GrantedAuthority auth : authentication.getAuthorities()) {
            if ("ROLE_ADMIN".equals(auth.getAuthority())){
                userRole = "admin";
            if ("ROLE_DBA".equals(auth.getAuthority())){
                userRole = "dba";
            if ("ROLE_USER".equals(auth.getAuthority())){
                userRole = "user";
        return userRole;


URL : http://localhost:8080/springsecuritybyurl/employees?param1=bill

Invalid User

URL : http://localhost:8080/springsecuritybyurl/employees?param1=admin


Java ExecutorService

We have seen Java Timer Class in our earlier tutorial to. ExecutorService will be better option than using Timer since configured with any number of threads but Timer has only one execution thread.
Another important point to ExecutorService is, if any run-time exception occurred inside TimerTask then current task will be canceled and rest will be continued in ExecutorService. Where as in Timer kill the Thread and following scheduled tasks won’t run further.
Lets see simple example's of how to run a repeated task at a specified interval using ExecutorService.
Java ExecutorService

Single Threaded:

public class JavaExecutorService {

 public static void main(String[] args) throws InterruptedException {
  TimerTask repeatedTask = new TimerTask() {
         public void run() {
             System.out.println("OUTPUT : " + Thread.currentThread().getName()  + " : Random Number : "+new Random().nextInt(1000));
     ScheduledExecutorService executor = Executors.newSingleThreadScheduledExecutor();
     long delay  = 1000L;
     long period = 1000L;
     executor.scheduleAtFixedRate(repeatedTask, delay, period, TimeUnit.MILLISECONDS);


OUTPUT : pool-1-thread-1 : Random Number : 608
OUTPUT : pool-1-thread-1 : Random Number : 62
OUTPUT : pool-1-thread-1 : Random Number : 161
OUTPUT : pool-1-thread-1 : Random Number : 141
OUTPUT : pool-1-thread-1 : Random Number : 954
OUTPUT : pool-1-thread-1 : Random Number : 565
OUTPUT : pool-1-thread-1 : Random Number : 839

By Setting Thread-pool Size:

public class JavaExecutorService {

 public static void main(String[] args) throws InterruptedException {
  TimerTask repeatedTask = new TimerTask() {
         public void run() {
             System.out.println("OUTPUT : " + Thread.currentThread().getName()  + " : Random Number : "+new Random().nextInt(1000));

     //Setting threadpool size to 5
     ScheduledExecutorService executor = Executors.newScheduledThreadPool(5);
     long delay  = 1000L;
     long period = 1000L;
     executor.scheduleAtFixedRate(repeatedTask, delay, period, TimeUnit.MILLISECONDS);


OUTPUT : pool-1-thread-1 : Random Number : 562
OUTPUT : pool-1-thread-1 : Random Number : 207
OUTPUT : pool-1-thread-2 : Random Number : 912
OUTPUT : pool-1-thread-1 : Random Number : 165
OUTPUT : pool-1-thread-3 : Random Number : 676
OUTPUT : pool-1-thread-2 : Random Number : 956
OUTPUT : pool-1-thread-2 : Random Number : 987
OUTPUT : pool-1-thread-2 : Random Number : 866
OUTPUT : pool-1-thread-2 : Random Number : 331
OUTPUT : pool-1-thread-3 : Random Number : 183
OUTPUT : pool-1-thread-3 : Random Number : 669
OUTPUT : pool-1-thread-3 : Random Number : 617
OUTPUT : pool-1-thread-3 : Random Number : 719
OUTPUT : pool-1-thread-3 : Random Number : 757
OUTPUT : pool-1-thread-3 : Random Number : 728
OUTPUT : pool-1-thread-3 : Random Number : 77
OUTPUT : pool-1-thread-5 : Random Number : 66
OUTPUT : pool-1-thread-2 : Random Number : 64
OUTPUT : pool-1-thread-4 : Random Number : 643

Java Timer

Timer and TimerTask classes are important java util class used to schedule tasks in a background thread. On other way TimerTask is a task performer and Timer is a scheduler to set the time to run the task. By using these classes we can schedule the task to run at a specified time once or we can set repeated task at an interval. Lets see simple Java example for both by scheduling task once and repeated task at an interval.
Java Timer

Scheduling Task Once:

import java.util.Random;
import java.util.Timer;
import java.util.TimerTask;

public class JavaTimer {

 public static void main(String[] args) {
  TimerTask task = new TimerTask() {
         public void run() {
             Random rand = new Random();
             System.out.println(Thread.currentThread().getName() + rand.nextInt(1000));
     Timer timer = new Timer("Generate Random Number : ");
     long delay = 500L;
     timer.schedule(task, delay);


Generate Random Number : 237

Repeated Task at Interval:

import java.util.Random;
import java.util.Timer;
import java.util.TimerTask;

public class JavaTimer {

 public static void main(String[] args) {
  TimerTask task = new TimerTask() {
         public void run() {
             Random rand = new Random();
             System.out.println(Thread.currentThread().getName() + rand.nextInt(1000));
     Timer timer = new Timer("Generate Random Number : ");
     long delay = 500L;
     long period = 1000L;
     timer.scheduleAtFixedRate(task, delay, period);;


Generate Random Number : 519
Generate Random Number : 973
Generate Random Number : 859
Generate Random Number : 942
Generate Random Number : 578
Generate Random Number : 764
Generate Random Number : 256
Generate Random Number : 802
Generate Random Number : 926
Generate Random Number : 69
Generate Random Number : 875