4

im currently working of a Spring MVC web application and we have been using authtication via a local database with an impl of the AbstractUserDetailsAuthenticationProvider class provided by spring security.

However, to secure the app further, we decided to allow users to authenticate via LDAP/AD server. This would not be a requirement and users can choose to enable this in the configurations in the portal itself.

Wondering how would one actually go around implementing this. Have found the AbstractLdapAuthenticationProvider. However, just to add this additional authentication provider to the authentication manager would not suffice as weather or not it should be there should be determined at runtime by a flag in the database.

Would really appreciate any help in this area.

Thanks for reading:)

jia chen
  • 710
  • 1
  • 6
  • 16
  • Look at this questions and its answer, that should get you started: http://stackoverflow.com/questions/21381893/use-different-authenticationprovider-depending-on-username-and-remote-ip-address – yglodt May 03 '16 at 07:55

2 Answers2

1

There are probably multiple ways to do this, but a simple approach would be to have two authentication providers to the authentication manager, authentication provider for local database first, LDAP authentication provider second.

To skip LDAP check at runtime, throw AccountStatusException (a subclass thereof, since abstract) from your local database provider. This makes the authentication manager skip further providers, in your case LDAP.

If you want the other way around for a user, set the password to blank or a random value in local database.

holmis83
  • 15,922
  • 5
  • 82
  • 83
  • Hi holmis83 thanks for the response!! just wondering if i add an chain the authentication providers together under the auth manager and the the when i throw an impl of *AccountStatusException* will that void my login all together?! – jia chen Nov 09 '15 at 02:50
  • @jiachen yes, that will fail the authentication altogether. – holmis83 Nov 09 '15 at 08:50
1

Have two authentication providers, one for local database and one for LDAP. The Spring authentication manager will invoke the public boolean supports(Class authentication) method in each of the providers to see if the provider supports the Authentication class provided. So the supports(Class authentication) method is a perfect place for you to write your own custom logic to enable/disable a particular authentication provider.

Chao
  • 1,058
  • 7
  • 12
  • This looks like a more proper solution than using exceptions to control the flow, as proposed by holmis83. – Campa Jul 06 '23 at 12:58