Spring Security - Custom authentication provider not called

Question

I have a Spring application (Spring version 2.5.6.SEC01, Spring Security version 2.0.5) with the following setup (this is based off of this question):

In the security-config.xml file, I have the following configuration:

<http>
  <!-- Restrict URLs based on role -->
  <intercept-url pattern="/WEB-INF/jsp/login.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/WEB-INF/jsp/header.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/WEB-INF/jsp/footer.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/login*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/index.jsp" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/logoutSuccess*" access="ROLE_ANONYMOUS" />

  <intercept-url pattern="/css/**" filters="none" />
  <intercept-url pattern="/images/**" filters="none" />
  <intercept-url pattern="/**" access="ROLE_ANONYMOUS" />
  <anonymous />
  <form-login login-page="/login.jsp"/>
</http>

<beans:bean id="myUserDetailsService" class="com.example.login.MyUserDetailsService">
  <beans:property name="dataSource" ref="dataSource" />
  <custom-authentication-provider />
</beans:bean>

<authentication-provider user-service-ref="myUserDetailsService" />

The com.example.login.MyUserDetailsService class is defined:

public class MyUserDetailsService extends SimpleJdbcDaoSupport implements UserDetailsService {
  @Override
  public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException,
          DataAccessException {
    logger.info("MyUserDetailsService.loadUserByUsername: Entered method. Username [" + userName + "]");
    ...
  }
}

But I'm not seeing this log line. How do I define a custom UserDetailsService so I can set the security roles? I don't even need a custom service, but having this in the security-config.xml

<authentication-provider> <jdbc-user-service data-source-ref="dataSource" />
</authentication-provider>

wasn't setting the role even though I have the users and authorities tables. How can I set the Spring Security Roles?

Answer 1

I think the authentication-provide tag should come with authentication-manager tag.

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="myUserService" />
</authentication-manager>

Hope this works!

Answer 2

Just remove <custom-authentication-provider> element.

Your MyUserDetailsService IS NOT a custom AuthenticationProvider. Actually you are trying to supply the default DaoAuthenticationProvider with a custom UserDetailsService. Here is an example of working config for that scenario (and once again I recommend you to use auto-config):

<http auto-config = "true">
    <intercept-url pattern="/login.jsp" access="ROLE_ANONYMOUS" />
    ...
    <intercept-url pattern="/**" access="ROLE_USER" />

    <form-login login-page="/login.jsp" default-target-url="/XXX.html" />
</http>

<authentication-provider user-service-ref = "userDetailsService" />

<beans:bean id = "userDetailsService" class = "com.example.MyUserService" />

EDIT:

web.xml:

...
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
...

login.jsp:

...
<form method = "POST" action = "<c:url value = "/j_spring_security_check" />">
    <table>
        <tr>
            <td class = "label">Login:</td>
            <td><input type = "text" name = "j_username" /></td>
        </tr>
        <tr>
            <td class = "label">Password:</td>
            <td><input type = "password" name = "j_password" /></td>
        </tr>

        <tr>
            <td colspan = "2"><input type = "submit" value = "Log in" /></td>
        </tr>
    </table>
</form>
...