File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Spring and the fly likes Using other Authentication Providers Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Using other Authentication Providers" Watch "Using other Authentication Providers" New topic
Author

Using other Authentication Providers

Jay Abrahm
Ranch Hand

Joined: May 28, 2008
Posts: 183
I have got the basic Spring Security to work and it brings up the default Spring login page for


I tried


But it would not hit MyUserDetailsService, I continue to get the Spring login page.

Prasad Krishnegowda
Ranch Hand

Joined: Apr 25, 2010
Posts: 513

can you post your full security context xml file?


Regards, Prasad
SCJP 5 (93%)
Jay Abrahm
Ranch Hand

Joined: May 28, 2008
Posts: 183
Alright, finally I got it to hit MyUserDetailsService



and added the service annotation


Need some direction on how to proceed from here... I don't have the typical Spring User tables so I would like to use an existing schema to validate the user name already present in the session.
Prasad Krishnegowda
Ranch Hand

Joined: Apr 25, 2010
Posts: 513



In the above, the Parameter arg0, is the username entered by the user, you can execute the query to search from the database using this username, and you can return an User object, by adding all the required details like password and roles for this user, Spring security will take it on from here..
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17250
    
    6

The nice thing about Spring Security is that any small part of it can be customized while using all the other built in functionality. The bad thing about that is that there are a bunch of smaller pieces that are responsible for their own part of the whole Security solution.

So Spring Security has the following

1) AuthenticationManager - handles logging in stuff. Mostly delegates to the following classes
a) UserDetailsService - the auth manager calls the UserDetailsService loadUserByUserName(String userName) to get the data for the user from any source. Could be database, LDAP, OAuth, SingleSignOn, ActiveDirectory or other locations. This method returns
b) UserDetails - this is the User object it stores the username, password a few booleans as well as an array of GrantedAuthority objects. These
c) GrantedAuthority objects hold the roles that the user has.
d) RememberMeService - if you want a remember me service with cookies, then this interface does that work. So the AuthenticationManager might first delegate to a RememberMeService looking for a cookie that has the value of the userName. If it doesn't find one, then the AuthenticationManager delegates to the UserDetailsService. If there is a cookie, the RememberService reads the cookie to get the userName then calls the UserDetailsService to look up the user data.

After the AuthenticationManager gets the UserDetails object it then has all the information for the user.

So in your implementation of UserDetailsService you can call anything that you want. If it is in a database, but your tables don't match the built in JdbcUserDetailsService, then you can still use the JdbcUserDetailsService implementation and just override the user-by-username-query and the authorities-by-username-query with queries that match your table structure.

You just have to make sure that the user-by-username-query returns three fields. 1) the userName 2) the password 3) boolean for is the user active. If you don't have an active field, make your query always return true for that third field. For the authorities-by-username-query, it has to return two fields. 1) username 2) role name prefixed with "ROLE_", you will have a row for each role that the user has. So if the user is assigned three roles, then three rows should be returned. Once you have that data, you just create and populate a UserDetails object. Again this is an interface that you could implement your own if you want it to store more than the Spring Security standard, or just use the built in class that is in the Spring Security jars.

Hope that helps you clear the authentication hurdle.

There is more for authorization.

Mark


Perfect World Programming, LLC - Two Laptop Bag - Tube Organizer
How to Ask Questions the Smart Way FAQ
Jay Abrahm
Ranch Hand

Joined: May 28, 2008
Posts: 183
Thanks Prasad, I cleaned up the method to populate the user object but it just goes back to the login page. I have two questions basically
1. I don't want Spring to go to the login page since the user id is already available in the session.
2. Did I populate the user object incorrectly or is it incomplete.

You just have to make sure that the user-by-username-query returns three fields.
Mark, Do I really have to use the user-by-username-query query ?

Jay Abrahm
Ranch Hand

Joined: May 28, 2008
Posts: 183
It is successful if I enter rod/koala in the UI but if I enter any other values it just goes back to the login screen. Why does this happen, is there a way to directly go to the loadUserByUsername and authenticate.
Prasad Krishnegowda
Ranch Hand

Joined: Apr 25, 2010
Posts: 513

I cleaned up the method to populate the user object but it just goes back to the login page

This means user is not authenticated successfully.
Still you have not posted your full security context xml file, please post that, and if possible the code of UserDetailsService also.
Jay Abrahm
Ranch Hand

Joined: May 28, 2008
Posts: 183
Well, it is getting authenticated when I enter rod/koala and directs to Admin.jsp. Somehow, it tries to match with what I have on the server side.

Prasad Krishnegowda
Ranch Hand

Joined: Apr 25, 2010
Posts: 513

Just curious about this comment

which session you are talking about here?
Jay Abrahm
Ranch Hand

Joined: May 28, 2008
Posts: 183
Well, I already have an existing authentication(Siteminder) done and the userid is available in the request header. I would like to pick up that userId and hit the database to check if the user has access to this screen.

I basically don't want to direct to the default Spring login form since I am already logged in.
Prasad Krishnegowda
Ranch Hand

Joined: Apr 25, 2010
Posts: 513

Users having access to screens, should be configured in security context xml file. This UserDetailsService class is called to authenticate/authorize the users.. Spring security creates a session after this. If you already have a authentication code, can you explain why you are using Spring Security again? Are you trying to implement SSO?
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17250
    
    6

Jay Abrahm wrote: Mark, Do I really have to use the user-by-username-query query ?



Only if you are querying a database for your user information.

Please re-read my description of the classes that make up Spring Security.

The UserDetailsService class is only used to load User data for Authentication. Authorization is a different piece all together.

So now we know enough information. You want to use SiteMinder for the user data. So a Google search has shown me this

Spring Security docs
http://static.springsource.org/spring-security/site/docs/2.0.x/reference/preauth.html

Spring Forum someone implementing integration with SiteMinder
http://forum.springsource.org/showthread.php?53047-Spring-security-and-Siteminder

Hope those help.

Mark
Jay Abrahm
Ranch Hand

Joined: May 28, 2008
Posts: 183
If you already have a authentication code, can you explain why you are using Spring Security again?

I already have a authentication done as mentioned earlier (Siteminder). However, I want Spring security to help me validate some URLs which are links within the application but can be directly accessed once the authentication is complete.

The UserDetailsService class is only used to load User data for Authentication. Authorization is a different piece all together.
So now we know enough information. You want to use SiteMinder for the user data. So a Google search has shown me this


I tried a little bit of preauthentication and I realized that it is not exactly what would fit my use case. Basically Spring security is like the second line of defense tracked against a database security table that I have. Is this a form of authorization ?

Can I authorise the url by using UserDetailsService without going through Spring security login and also is it possible to hit the database against a value present in the session.

I don't think I would have trouble building the UserDetails or the GrantedAuthorityImpl objects. Still not sure why I should use user-by-username-query, if I can populate GrantedAuthorityImpl myself.
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17250
    
    6

http://forum.springsource.org/archive/index.php/t-53047.html

I am not sure if it will help.

Mark
Geeta Puttappanavar
Ranch Hand

Joined: Jan 18, 2012
Posts: 43
Prasad Krishnegowda wrote:

In the above, the Parameter arg0, is the username entered by the user, you can execute the query to search from the database using this username, and you can return an User object, by adding all the required details like password and roles for this user, Spring security will take it on from here..


Hi,

Here you are mentioning to pass the password. Which password I should pass? And if I pass "password" (hard coded) this password will be authenticated with password entered by user? Actually in user object I should pass the password from data base where user_name = username. ??

Can you please explain in detail???
Prasad Krishnegowda
Ranch Hand

Joined: Apr 25, 2010
Posts: 513

Geeta,
UserDetails is an interface provided by spring, see this http://docs.spring.io/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/core/userdetails/UserDetails.html.
What we should do is, implement this interface, and set the password, see the interface, it has methods to set username, password and role(authorities) and other options like accountExpired and so on.


The arg0 gives us the username in the above method, use this username and populate the password and role(authorities) for this user.
Yes, the password here should be the one, which user enters while logging in. You can get it from database or hardcode it, it's up to you.

P:S: This is an old post, if you still have any problem, please create a new thread, we can see that from there.
Geeta Puttappanavar
Ranch Hand

Joined: Jan 18, 2012
Posts: 43
Prasad Krishnegowda wrote:Geeta,
UserDetails is an interface provided by spring, see this http://docs.spring.io/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/core/userdetails/UserDetails.html.
What we should do is, implement this interface, and set the password, see the interface, it has methods to set username, password and role(authorities) and other options like accountExpired and so on.


The arg0 gives us the username in the above method, use this username and populate the password and role(authorities) for this user.
Yes, the password here should be the one, which user enters while logging in. You can get it from database or hardcode it, it's up to you.

P:S: This is an old post, if you still have any problem, please create a new thread, we can see that from there.



Thanks Prasad, I got it done.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Using other Authentication Providers