Avoiding multiple logins from custom authenticationProvider to Third-Party-SOA
Mischa Zedding
Greenhorn
Joined: Feb 28, 2013
Posts: 4
posted
0
Hello Cowboys from the Java-Ranch,
i am realy new here and i hope you can give me some tips and advices. At the moment i develop a new webapplication with spring mvc and spring security. One requirement is to authenticat the user against a third-party solution. The logic for a login against this solution is ready for use. Now i want spring security to handle the user. But at the moment spring connect to the third-party-soa for every request. This makes no sense for me. Is this behavior normal? Does spring security connects to a database every time for every request?
Greetings from Berlin, Germany
Here is my code:
I implement a custom AuthenticationProvider
Well, I think, based on the code you posted. I think that you really wanted to implement a UserDetailsService, not a custom AuthenticationProvider.
The distinction is small. Basically, you just want to change where the data is looked up for a user. That is the responsibility of a UserDetailsService. It is called by an AuthenticationProvider, but only once when you login. Unless you don't have sessions, and your HTTP is stateless, then credentials do need to be sent and looked up each time.
thanks for the tip. Now i have a custom UserDetailsService, but i have some problems with this approach. Perhaps you can help me out again .
I have two questions:
1: is it only possible to get the username in "public UserDetails loadUserByUsername(String username)"? As you can see in my code, i need the password to. For testcases i have a user who has the same value for the username and the password.
2: I think i have i misstake in my logic. Because for every request the login-window appears. [EDIT]: Now it works...
User user = userServiceTeamcenter.getUserByLogin(username, username);
That won't work in the real world.
Why is the username and password always the same for every user of the system.
OK. The purpose of a UserDetailsService is strictly to load user data, nothing to do with password, that is why password is not passed in to loadUserByUserName(String userName) method.
Typically this method and a UserDetailsService just does a query against the back end data store. In your case your userServiceTeamcenter method requires a password, so it isn't the correct class and method to call. If you don't have a class with a correct api, then you can query a different way.
There are built in UserDetailsService like JdbcDaoImpl which is the Jdbc with SQL queries class.
Mark
Mischa Zedding
Greenhorn
Joined: Feb 28, 2013
Posts: 4
posted
0
Hi Mark,
Mark Spritzler wrote:User user = userServiceTeamcenter.getUserByLogin(username, username);
That won't work in the real world.
Why is the username and password always the same for every user of the system.
i know . This was just testcode. I would never implement this in production because this make no sense. But i wantet to test my "Request and Login"-Problem. This is solved and now i can concentrate on the UserDetailsService. At the moment i have no idea how to implement a correct Authentication-Mechanism with my third-party-soa. It is absolute necessary to call the login method from TeamcenterUserService (my Connector to the Third-Party-Soa) with password and username. If the login is correct i get a user who is != null. Perhaps the first sunny day since 30 Days in Berlin give me the right inspiration.
Micha
Mischa Zedding
Greenhorn
Joined: Feb 28, 2013
Posts: 4
posted
0
I think i have a solution so far. I implement my own UserDetailsAuthenticationProvider by extending the AbstractUserDetailsAuthenticationProvider.
Cool. Yeah if you need to have password to do some lookup. You won't get it into UserDetailsService. Because its responsibility is just querying the data store for the data that someone class else will do the password comparison.
0
.
