Is it possible to authenticate a user by checking for an existing HttpSession within Spring Security? I would like users to authenticate via CAS at one URL (http://example.com/auth), but not the other URLs. For example, if they go straight to http://example.com/content, then I’d like to check for the HttpSession and return a 401 Unauthorized code if they haven’t logged into CAS yet. If they’ve already gone to the /auth page and logged in, then going to /content will return the content. The main reason for this is to avoid any redirects that CAS causes during authentication.
I am kind of new to Spring Security and can’t figure out if I need a custom AuthenticationManager, AuthenticationEntryPoint, both, or something else. The AuthenticationManager doesn’t have a way for me to access the HttpSession, and the AuthenticationEntryPoint doesn’t seem to be the right place to implement this functionality.
Any ideas?
Spring Security is not using HTTP session.
Instead, you can easily call to this static method:
Frankly, I believe that you need to configure Spring security correct in order to avoid checking authentication and redirect manually to other page.