Login/Register
How to implement custom authentication in Spring Security 3?
Asked Answered
Solved spring-mvcspring-security
B

1

16

I know this has been answered so many times, but I am confused. I already have an Authentication mechanism in my application and I just want to use the authorization part of Spring MVC. I'm using Spring MVC 3 and Spring Security 3.

When I search on internet I found two solutions, the first one is to just implement AuthenticationProvider interface. Example1. The second one is to implement UserDetails and UserDetailsService, Example2 so I'm lost here.

----Update----

The second part of the Question is here. And the solution to the workaround.

Butterbur answered 13/8, 2013 at 22:51 Comment(0)
C
37

In most cases when only using usernames and passwords for authentications and roles for authorisation, implementing your own UserDetailsService is enough.

The flow of the username password authentication is then generally as follows:

  • A spring security filter (basic authentication/form/..) picks up the username and password, turns it into an UsernamePasswordAuthentication object and passes it on to the AuthenticationManager
  • The authentication manager looks for a candidate provider which can handle UsernamePasswordtokens, which in this case is the DaoAuthenticationProvider and passes the token along for authentication
  • The authentication provider invokes the method loadUserByUsername interface and throws either a UsernameNotFound exception if the user is not present or returns a UserDetails object, which contains a username, password and authorities.
  • The Authentication provider then compares the passwords of the provided UsernamePasswordToken and UserDetails object. (it can also handle password hashes via PasswordEncoders) If it doesn't match then the authentication fails. If it matches it registers the user details object and passes it on to the AccessDecisionManager, which performs the Authorization part.

So if the verification in the DaoAuthenticationProvider suits your needs. Then you'll only have to implement your own UserDetailsService and tweak the verification of the DaoAuthenticationProvider.

An example for the UserDetailsService using spring 3.1 is as follows:

Spring XML:

<security:authentication-manager>
     <security:authentication-provider user-service-ref="myUserDetailsService" />
</security:authentication-manager>

<bean name="myUserDetailsService" class="x.y.MyUserDetailsService" />

UserDetailsService Implementation:

public MyUserDetailsService implements UserDetailsService {

public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
    //Retrieve the user from wherever you store it, e.g. a database 
    MyUserClass user = ...; 
    if (user == null) {
        throw new UsernameNotFoundException("Invalid username/password.");
    }
    Collection<? extends GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("Role1","role2","role3");
    return new User(user.getUsername(), user.getPassword(), authorities);
}

}
Crayfish answered 14/8, 2013 at 6:22 Comment(9)
This way I cant customize the login workflow. Lets say I want to block the user at 5th attempt or send an email. This is what Im looking for.Butterbur
My suggestion would be to subclass the DAOAuthenticationManager, override the authentication method and simply invoke super.authenticate in a try catch.Crayfish
I'll try that. But please refer me some link if you know some. Thanks.Butterbur
You can use the tutorial which describes how to write your own AuthenticationProvider. The only difference is instead of writing it from scratch you just extend the DaoAuthenticationProvider and override the authenticate method.Crayfish
I'll check and let you know. Thanks.Butterbur
do you care help me with a similar topic? I trying implement a custom login processing method with java config, and I stucked with this problem: #22739238. Any help should be very thankful.Rabkin
thanks for the layout of this workflow, i've been having a tough time discovering what's going on in spring security, but this helped me get a basis. @Crayfish on your Aug 22 comment, did you mean to subclass DAOAuthenticationProvider NOT DAOAuthenticationManager? if so, can you fix?Affixation
<beans:bean name="myUserDetailsService" class="x.y.MyUserDetailsService"></beans:bean> works for me.Patriarchy
<security:authentication-manager> <security:authentication-provider user-service-ref="myUserDetailsService" /> </security:authentication-manager> what is the alternative in JavaConfig ?Longspur

© 2022 - 2024 — McMap. All rights reserved.