0

I'm using CustomAuthentication provider to authenticate which extends AbstractUserDetailsAuthenticationProvider. This I had to do because I wanted to authenticate against a webservice and needed both userid as well as password. This was the only class which allowed me to do so. Now I'm facing issues implementing remember-me functionality for this, here is my security-context file - 

<http auto-config="true">
    <intercept-url pattern="/j_spring_security_check" access="IS_AUTHENTICATED_ANONYMOUSLY"/>       
    <intercept-url pattern="/dashboard*" access="ROLE_USER" />
    <form-login login-page="/login.html" default-target-url="/dashboard1.html#meetings"
        authentication-failure-url="/loginFailed.html" />
    <logout logout-success-url="/login.html" />
</http>

<beans:bean name="customAuthenticationProvider" class = "com.component.WebServiceUserDetailsAuthenticationProvider"/>

<authentication-manager>
  <authentication-provider ref = "customAuthenticationProvider"/>
</authentication-manager>

</beans:beans>

Now I'm trying to implement remember me, but it's enforcing me to have user detail service that I can't have as I need both username and password to authenticate agains my web service and method exposed by userdetailservice gives only username not password and that's the reason I had to use customAuthentication at first place.

Hemant
  • 205
  • 2
  • 3
  • 8
  • You haven't actually said what your issues are so you should probably edit your question to clarify. Also, you don't need to extend `AbstractUserDetailsAuthenticationProvider`. You can just implement the `AuthenticationProvider` interface directly. – Shaun the Sheep Jun 11 '13 at 17:17
  • Hi Luke, I've completed my question now. And AbstractUserDeta..... I used because I wanted to provide implementation only for method authenticate and that's what abstractUs.. is for. – Hemant Jun 13 '13 at 10:40

1 Answers1

0

Remember-me is an alternative way of authenticating a user, so when it receives a remember-me cookie it needs to validate it and load information for the user to provide it to the application. To do that it uses the UserDetailsService interface.

The basic implementation TokenBasedRememberMeServices needs access to the password in order to verify the token. If your system can't provide that, then you can't use it.

The alternative is PersistentTokenBasedRememberMeServices, which uses a database to store the remember-me tokens. It doesn't need access to the password, but you will still need to implement a UserDetailsService to allow it to load information for the authenticated user. The UserDetails object it returns doesn't need to contain a password, but it should contain the username as a minimum so that you can tell who is logged in.

Shaun the Sheep
  • 22,353
  • 1
  • 72
  • 100