I'm working on a webapplication with highlevel privacy. I wanne store the username and the encrypted password of each user in a db table and i wanne store a AnonymousUserName in an other table to associate personal details with. The AnonymousUserName should be created by hashing the real username and salting the hash with the plain password. so the administrator has no possibility to find out the AnonymousUserName because the password is just stored encrypted in the db.
Nevertheless i have to know which AnonymousUserName belongs to the logged in user. So I want to hash the username and salt the hash with the plain password each time the user loggs in and save the generated AnonymousUserName as SessionAtribute that is deleted again when the user leaves the app.
My Authentication-Manager configuration looks very simple at the moment.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:repository="http://www.springframework.org/schema/data/repository"
xsi:schemaLocation="http://www.springframework.org/schema/data/repository http://www.springframework.org/schema/data/repository/spring-repository-1.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
<http use-expressions="true" auto-config="true">
<intercept-url pattern="/login"
access="permitAll"/>
<access-denied-handler />
<form-login login-page="/login" default-target-url="/"/>
<logout />
</http>
<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<authentication-manager>
<authentication-provider user-service-ref="jdbcUserService">
<password-encoder ref="encoder"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="jdbcUserService"
class="de.tuberlin.livefeedback.dao.SpringSecurityDaoImpl">
<beans:property name="dataSource" ref="dataSource" />
<beans:property name="enableGroups" value="true" />
<beans:property name="enableAuthorities" value="false" />
<beans:property name="groupAuthoritiesByUsernameQuery">
<beans:value>SELECT R.idROLE, R.NAME, P.NAME
FROM ROLE R
JOIN USER_ROLE RM on R.idROLE = RM.user_role_role
JOIN USER U on U.idUSER = RM.user_role_user
JOIN ROLE_PERMISSION RP ON RP.role_permission_role = R.idROLE
JOIN PERMISSION P ON P.idPERMISSION = RP.role_permission_permission
WHERE U.login=?
</beans:value>
</beans:property>
<beans:property name="usersByUsernameQuery">
<beans:value>select login,password,enabled from USER where login = ?
</beans:value>
</beans:property>
<beans:property name="authoritiesByUsernameQuery">
<beans:value>SELECT U.login, P.name FROM USER U, PERMISSION P WHERE U.login = ? AND P.idPERMISSION IN
(SELECT role_permission_permission FROM ROLE_PERMISSION WHERE role_permission_role IN
(SELECT user_role_role FROM USER_ROLE WHERE user_role_user=
(SELECT idUSER FROM USER WHERE login = ? LIMIT 1)))
</beans:value>
</beans:property>
</beans:bean>
</beans:beans>
My idea was to override the method that handles the httpRequest when the user loggs in with his credentials like the following pseudocode should illustrate:
@Override
void authenticate (String username, String password){
String anonymousUserName = hash(username, password);
httpSession.setAttribute("anonymousUserName", anonymousUserName);
super(username, password) //to do the authentication-stuff
}
Because I have no idea if there is any method that i could override this way and where it could be found, i'm writing this question.
So, is there any possibility to do what I want in a similar way?
thanking you in anticipation