16

I know this has been answered so many times, but I am confused. I already have an Authentication mechanism in my application and I just want to use the authorization part of Spring MVC. I'm using Spring MVC 3 and Spring Security 3.

When I search on internet I found two solutions, the first one is to just implement AuthenticationProvider interface. Example1. The second one is to implement UserDetails and UserDetailsService, Example2 so I'm lost here.

----Update----

The second part of the Question is here. And the solution to the workaround.

Community
  • 1
  • 1

1 Answers1

37

In most cases when only using usernames and passwords for authentications and roles for authorisation, implementing your own UserDetailsService is enough.

The flow of the username password authentication is then generally as follows:

  • A spring security filter (basic authentication/form/..) picks up the username and password, turns it into an UsernamePasswordAuthentication object and passes it on to the AuthenticationManager
  • The authentication manager looks for a candidate provider which can handle UsernamePasswordtokens, which in this case is the DaoAuthenticationProvider and passes the token along for authentication
  • The authentication provider invokes the method loadUserByUsername interface and throws either a UsernameNotFound exception if the user is not present or returns a UserDetails object, which contains a username, password and authorities.
  • The Authentication provider then compares the passwords of the provided UsernamePasswordToken and UserDetails object. (it can also handle password hashes via PasswordEncoders) If it doesn't match then the authentication fails. If it matches it registers the user details object and passes it on to the AccessDecisionManager, which performs the Authorization part.

So if the verification in the DaoAuthenticationProvider suits your needs. Then you'll only have to implement your own UserDetailsService and tweak the verification of the DaoAuthenticationProvider.

An example for the UserDetailsService using spring 3.1 is as follows:

Spring XML:

<security:authentication-manager>
     <security:authentication-provider user-service-ref="myUserDetailsService" />
</security:authentication-manager>

<bean name="myUserDetailsService" class="x.y.MyUserDetailsService" />

UserDetailsService Implementation:

public MyUserDetailsService implements UserDetailsService {

public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
    //Retrieve the user from wherever you store it, e.g. a database 
    MyUserClass user = ...; 
    if (user == null) {
        throw new UsernameNotFoundException("Invalid username/password.");
    }
    Collection<? extends GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("Role1","role2","role3");
    return new User(user.getUsername(), user.getPassword(), authorities);
}

}
Nils
  • 1,750
  • 14
  • 10
  • This way I cant customize the login workflow. Lets say I want to block the user at 5th attempt or send an email. This is what Im looking for. –  Aug 19 '13 at 20:34
  • My suggestion would be to subclass the DAOAuthenticationManager, override the authentication method and simply invoke super.authenticate in a try catch. – Nils Aug 22 '13 at 08:14
  • I'll try that. But please refer me some link if you know some. Thanks. –  Aug 24 '13 at 00:58
  • You can use the tutorial which describes how to write your own AuthenticationProvider. The only difference is instead of writing it from scratch you just extend the DaoAuthenticationProvider and override the authenticate method. – Nils Aug 28 '13 at 14:22
  • I'll check and let you know. Thanks. –  Aug 29 '13 at 13:27
  • do you care help me with a similar topic? I trying implement a custom login processing method with java config, and I stucked with this problem: http://stackoverflow.com/questions/22738738/my-application-with-spring-security-dont-go-beyond-login-page. Any help should be very thankful. – Kleber Mota Mar 30 '14 at 14:58
  • thanks for the layout of this workflow, i've been having a tough time discovering what's going on in spring security, but this helped me get a basis. @Nils on your Aug 22 comment, did you mean to subclass DAOAuthenticationProvider NOT DAOAuthenticationManager? if so, can you fix? – Chris DaMour May 23 '14 at 21:56
  • `` works for me. – Timeless Mar 11 '15 at 02:13
  • what is the alternative in JavaConfig ? – Yasir Shabbir Choudhary Feb 09 '16 at 12:55