How do I use a custom authentication mechanism for a Java web application with Spring Security?

Question

I'm working on a project to convert an existing Java web application to use Spring Web MVC. As a part of this I will migrate the existing log-on/log-off mechanism to use Spring Security. The idea at this stage is to replicate the existing functionality and replace only the web layer, leaving the service classes and objects in place. The required functionality is simple. Access is controlled to URLs and to access certain pages the user must log on. Authentication is performed with a simple username and password along with an extra static piece of information that comes from the login page. There is no notion of a role: once a user has logged on they have access to all of the pages. Behind the scenes, the service layer has a class with a simple authentication method:

doAuthenticate(String username, String password, String info) throws ServiceException

An exception is thrown if the login fails.

I'd like to leave this existing service object that does the authentication intact but to "plug it into" the Spring Security mechanism. Can somebody suggest the best approach to take for this please? Naturally, I'd like to take the path of least resistance and leave the work where possible to Spring...

Thanks in advance.

Answer 1

Implement org.springframework.security.authentication.AuthenticationProvider which authenticates org.springframework.security.authentication.UsernamePasswordAuthenticationToken.

Answer 2

Check out Authentication Overview. You will probably want to make your own UserDetailsService and then define your own AccessDecisionManager that simply always votes YES if the User has authenticated.