3

I'm needing to do some custom things when a user tries to log in depending on their username but these things need to happen before the authentication process. Here's what I've got so far.

Our system allows for multiple email addresses and the client wants the user to be able to authenticate using any 1 of them. To allow for this I created a custom UserDetailsService and had the code lookup the user appropriately.

The other things I need to do require a few flags on the user object that spring-security doesn't really know or care about. But I need to hook into the auth process, check these flags, and return appropriate error messages to the user. To give a more concrete example, I need to know if this is the first time a user has ever logged into the system. So we have a flag on the user to track this. When the user tries to authenticate, I need to read this value and do some stuff, including sending a message back to the user and halting authentication.

I looked into the Event Listener mechanisms in the documentation but what I am not seeing how to do is how to inject my own workflow via the listeners. I need to do a flow like this:

Auth with valid email but first time -> cancel authentication -> display message on login page

I think if I can get that one scenario handled, I can figure the others out that I need.

UPDATE: I'm reading on filters now to see if I missed something...

Gregg
  • 34,973
  • 19
  • 109
  • 214
  • im surprised this is not in the grails spring security docs – hvgotcodes Jun 20 '11 at 14:18
  • have you looked in the spring security docs? they have some samples there will probably work easily with the grails plugin – hvgotcodes Jun 20 '11 at 14:24
  • Do you have a link to something specific to save me a bit of time fumbling through them? – Gregg Jun 20 '11 at 14:27
  • http://static.springsource.org/spring-security/site/docs/3.1.x/reference/preauth.html – hvgotcodes Jun 20 '11 at 14:33
  • The "Pre-Authentication Scenarios" covered by the Spring docs are for a situation where a "user has already been reliably authenticated by some external system prior to accessing the application." In your situation where your application is actually going to be authenticating the user, I agree with @ericacm below that a custom AutheticationProvider is the way to go. – Owen Jun 20 '11 at 15:50
  • I'm extremely late to the party, but do you have any clue what I have to do to get this to work in the latest Spring Security Core and Grails? :) Make a new provider which extends AbstractUserDetailsAuthenticationProvider, and then overrides the regular username/password bean in the spring/resources.groovy maybe? Thanks! – Tholle Mar 18 '15 at 20:38

1 Answers1

4

The simplest was to hook into the authentication process is to provide your own AuthenticationProvider. There are only two methods to implement. In authenticate() you can do all of your custom stuff.

To configure your provider into the framework do something like:

<authentication-manager>
  <authentication-provider ref="myAuthenticationProvider" />
</authentication-manager>
sourcedelica
  • 23,940
  • 7
  • 66
  • 74
  • 1
    You may want to extend AbstractUserDetailsAuthenticationProvider: http://static.springsource.org/spring-security/site/apidocs/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.html – Owen Jun 20 '11 at 15:55
  • Already headed in that direction. :o). Thanks. I think this is the right approach. Will respond with more details once I work it all out. – Gregg Jun 20 '11 at 16:46
  • I've added a follow up question here in case you all know the answer: http://stackoverflow.com/questions/6415092/throwing-custom-exception-and-display-error-message-from-custom-authenticationpro – Gregg Jun 20 '11 at 17:31