Reputation: 89169
Custom authentication in Spring
I have a question. In Struts, I have an Action that deals with user authentication, i.e., I took the user's credentials and used a DAO to validate user credentials. I want to maintain the same setup in Spring. I'm using Spring 3.0.3 RELEASE.
My question is, I've read Spring Security and in there it specifies JDBC backend "Validation" provider. I want to know, how would, if the user clicked "login" that it submits the credentials to my controller to check for valid authentication?
The reason I want to do this that way is that I have a Service that handles user authentication and authorization.
Thanks in advance.
PS How do I make some controller secure in Spring?
PPS I'm new to Spring
Upvotes: 4
Views: 11892
Answers (3)
Reputation: 207
You can create a custom authentication provider that implements org.springframework.security.authentication.AuthenticationProvider like this
package com.bzone.example;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
public class CustomAuthenticationProvider implements AuthenticationProvider{
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
// TODO call custom service or do whatever you want
return null;
}
@Override
public boolean supports(Class<? extends Object> authentication) {
// copied it from AbstractUserDetailsAuthenticationProvider
return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
}
}
one more step is to configure spring security to use this custom authentication provider
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!-- HTTP security configurations -->
<http auto-config="true" use-expressions="true">
<form-login login-processing-url="/static/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t"/>
<logout logout-url="/static/j_spring_security_logout"/>
<!-- Configure these elements to secure URIs in your application -->
<intercept-url pattern="/member/**" access="isAuthenticated()" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/static/**" access="permitAll" />
<intercept-url pattern="/**" access="permitAll" />
</http>
<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
<authentication-provider ref="com.bzone.example.CustomAuthenticationProvider" />
</authentication-manager>
</beans:beans>
Upvotes: 5
Reputation: 242686
Usually Spring Security handles authentication inside its own code, using your code as strategies (authentication providers, user details services, etc). But you can handle authentication inside your own code.
In your action's code, when user credentials are correct, you will:
- Create an
Authenticationcontaining user name and granted roles (you may useUsernamePasswordAuthenticationTokenas a convenient implementation). - Put it into security context:
SecurityContextHolder.getContext().setAuthentication(auth); - Broadcast the authentication success event using
AuthenticationEventPublisher.publishAuthenticationSuccess(...)(you may autowire it from the context or create aDefaultAuthenticationEventPublisherexplicitly). - Redirect user to the secured resource using
SavedRequestAwareAuthenticationSuccessHandler.onAuthenticationSuccess(...).
Also you need to supply an AuthenticationEntryPoint:
<bean id = "aep" class = "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<!-- Your login page -->
<property name = "loginFormUrl" value = "/login" />
</bean>
<security:http entry-point-ref="aep">
...
</http>
However, if you are actually new in Spring, it may be better to avoid such a massive customizations and use the regular Spring Security architecture.
Upvotes: 3
Reputation: 35961
You can write you own validation mechanism for Spring Security. It have to consists of following parts:
- Auth Filter - reads data from request, then call Auth Provider with credentials token (instance of class Authentication)
- Auth Provider - accepts this auth token (filter can create different tokents, and there can be different auth providers, for each token type), and try to authenticate (calling your service, at your case). After auth you may (or may not) call User Details Service or fill all user data right there
- User Details Service - load signed in user details from somewhere (from jdbc, other service, etc)
Upvotes: 2
Related Questions
- Custom Authentication Manager with Spring Security and Java Configuration
- Implementing Custom Authentication in Spring Security
- Spring Security: Custom Authentication Provider
- Implement Custom Spring Security Authentication Method
- How to implement custom authentication in Spring Security 3?
- Custom AuthenticationManager
- Authenticating with Spring Security
- Custom authorization in Spring MVC
- How do I use a custom authentication mechanism for a Java web application with Spring Security?
- Spring Security and Custom Authentication Provider