Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Avoiding multiple logins from custom authenticationProvider to Third-Party-SOA

 
Mischa Zedding
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Cowboys from the Java-Ranch,

i am realy new here and i hope you can give me some tips and advices. At the moment i develop a new webapplication with spring mvc and spring security. One requirement is to authenticat the user against a third-party solution. The logic for a login against this solution is ready for use. Now i want spring security to handle the user. But at the moment spring connect to the third-party-soa for every request. This makes no sense for me. Is this behavior normal? Does spring security connects to a database every time for every request?

Greetings from Berlin, Germany

Here is my code:
I implement a custom AuthenticationProvider


The security.xml:
 
Mark Spritzler
ranger
Sheriff
Posts: 17278
6
IntelliJ IDE Mac Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, I think, based on the code you posted. I think that you really wanted to implement a UserDetailsService, not a custom AuthenticationProvider.

The distinction is small. Basically, you just want to change where the data is looked up for a user. That is the responsibility of a UserDetailsService. It is called by an AuthenticationProvider, but only once when you login. Unless you don't have sessions, and your HTTP is stateless, then credentials do need to be sent and looked up each time.

Hope that helps and works for you.

Mark
 
Mischa Zedding
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Mark,

thanks for the tip. Now i have a custom UserDetailsService, but i have some problems with this approach. Perhaps you can help me out again .
I have two questions:
1: is it only possible to get the username in "public UserDetails loadUserByUsername(String username)"? As you can see in my code, i need the password to. For testcases i have a user who has the same value for the username and the password.
2: I think i have i misstake in my logic. Because for every request the login-window appears. [EDIT]: Now it works...

Thanks a lot and i wish you a good weekend

Here is my code:


TeamcenterUserDetailsService.java

TeamcenterUserDetails.java

 
Mark Spritzler
ranger
Sheriff
Posts: 17278
6
IntelliJ IDE Mac Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
User user = userServiceTeamcenter.getUserByLogin(username, username);

That won't work in the real world.

Why is the username and password always the same for every user of the system.

OK. The purpose of a UserDetailsService is strictly to load user data, nothing to do with password, that is why password is not passed in to loadUserByUserName(String userName) method.

Typically this method and a UserDetailsService just does a query against the back end data store. In your case your userServiceTeamcenter method requires a password, so it isn't the correct class and method to call. If you don't have a class with a correct api, then you can query a different way.

For instance Jdbc with SQL queries.

There are built in UserDetailsService like JdbcDaoImpl which is the Jdbc with SQL queries class.

Mark
 
Mischa Zedding
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Mark,

Mark Spritzler wrote:User user = userServiceTeamcenter.getUserByLogin(username, username);

That won't work in the real world.

Why is the username and password always the same for every user of the system.



i know . This was just testcode. I would never implement this in production because this make no sense. But i wantet to test my "Request and Login"-Problem. This is solved and now i can concentrate on the UserDetailsService. At the moment i have no idea how to implement a correct Authentication-Mechanism with my third-party-soa. It is absolute necessary to call the login method from TeamcenterUserService (my Connector to the Third-Party-Soa) with password and username. If the login is correct i get a user who is != null. Perhaps the first sunny day since 30 Days in Berlin give me the right inspiration.

Micha
 
Mischa Zedding
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think i have a solution so far. I implement my own UserDetailsAuthenticationProvider by extending the AbstractUserDetailsAuthenticationProvider.

This is my code:

TeamcenterUserDetailsAuthenticationProvider



TeamcenterUserDetails


Security.xml
 
Mark Spritzler
ranger
Sheriff
Posts: 17278
6
IntelliJ IDE Mac Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Cool. Yeah if you need to have password to do some lookup. You won't get it into UserDetailsService. Because its responsibility is just querying the data store for the data that someone class else will do the password comparison.

Mark
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic