Java – Spring security. Custom AuthenticationManager

authenticationjavaspringspring-security

I have spring mvc application. And i've added Spring Security with CustomAuthenticationManager. This is application-security.xml that included in appContex.xml. In login.jsp i use standart login page with 2 inputs: name='j_username' & name='j_password' and than in method in CustomAuthenticationManager.authenticate(Authentication authentication) i receive only password, but not principal with it name. What am i do wrong?

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util"
    xmlns:p="http://www.springframework.org/schema/p" xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">


<bean id="loginPassAuthenticationFilter"
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <property name="authenticationManager" ref="customAuthenticationManager" />
    <property name="allowSessionCreation" value="true" />
    <property name="filterProcessesUrl" value="/j_spring_security_check" />
    <property name="authenticationFailureHandler" ref="customAuthenticationFailureHandler" />
    <property name="authenticationSuccessHandler" ref="customAuthenticationSuccessHandler" />
</bean>

<bean id="customAuthenticationManager"
    class="com.whatever.security.CustomAuthenticationManager" />
<bean id="authenticationFilter"
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
    p:authenticationManager-ref="customAuthenticationManager"
    p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
    p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />

<bean id="customAuthenticationFailureHandler"
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
    p:defaultFailureUrl="/?error=true" />

<bean id="customAuthenticationSuccessHandler"
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
    p:defaultTargetUrl="/" />

<bean id="authenticationEntryPoint"
    class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
    p:loginFormUrl="/" />
<security:authentication-manager />
<bean id="passwordEncoder"
    class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
    <constructor-arg value="512" />
</bean>

<form name='f' action="<c:url value='j_spring_security_check' />"
    method='POST'>
    <table>
        <tr>
            <td>User:</td>
            <td><input type='text' name='j_username' value=''></td>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type='password' name='j_password' /></td>
        </tr>
        <tr>
            <td colspan='2'><input name="submit" type="submit"
                value="submit" /></td>
        </tr>
        <tr>
            <td colspan='2'><input name="reset" type="reset" /></td>
        </tr>
    </table>
</form>

Best Answer

I recommend to use Security Namespace (link to the example of minimal configuration):
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-minimal

Here the link how you can define your own authentication provider : http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-auth-manager

Creation of your own authentication provider solves most use cases. Please tell me if you need any additional clarifications.

Best regards,

Michael

Related Solutions

Java – What’s the difference between @Component, @Repository & @Service annotations in Spring

From Spring Documentation:

The @Repository annotation is a marker for any class that fulfils the role or stereotype of a repository (also known as Data Access Object or DAO). Among the uses of this marker is the automatic translation of exceptions, as described in Exception Translation.

Spring provides further stereotype annotations: @Component, @Service, and @Controller. @Component is a generic stereotype for any Spring-managed component. @Repository, @Service, and @Controller are specializations of @Component for more specific use cases (in the persistence, service, and presentation layers, respectively). Therefore, you can annotate your component classes with @Component, but, by annotating them with @Repository, @Service, or @Controller instead, your classes are more properly suited for processing by tools or associating with aspects.

For example, these stereotype annotations make ideal targets for pointcuts. @Repository, @Service, and @Controller can also carry additional semantics in future releases of the Spring Framework. Thus, if you are choosing between using @Component or @Service for your service layer, @Service is clearly the better choice. Similarly, as stated earlier, @Repository is already supported as a marker for automatic exception translation in your persistence layer.

Annotation	Meaning
`@Component`	generic stereotype for any Spring-managed component
`@Repository`	stereotype for persistence layer
`@Service`	stereotype for service layer
`@Controller`	stereotype for presentation layer (spring-mvc)

Spring Security with Openid and Database Integration

As I see that question text itself contains the answer. I am just pulling it out and posting it as the answer for the sake of clarity to other developers with the same problem. It took me a while to figure out that question has the answer!

To access user email & name, you need to add below configuration in the security xml file.

<security:attribute-exchange identifier-match="https://www.google.com/.*">
    <security:openid-attribute name="email" type="http://schema.openid.net/contact/email" required="true" />
    <security:openid-attribute name="firstName" type="http://axschema.org/namePerson/first" required="true" />
    <security:openid-attribute name="lastName" type="http://axschema.org/namePerson/last" required="true" />
</security:attribute-exchange>
<security:attribute-exchange identifier-match=".*yahoo.com.*">
    <security:openid-attribute name="email" type="http://axschema.org/contact/email" required="true"/>
    <security:openid-attribute name="fullname" type="http://axschema.org/namePerson" required="true" />
</security:attribute-exchange>

Thereafter, it will be accessible in the AuthenticationUserDetailsService class, as shown below.

public UserDetails loadUserDetails(OpenIDAuthenticationToken token) {
    String id = token.getIdentityUrl();
        :
        :
    List attributes = token.getAttributes();
    for (OpenIDAttribute attribute : attributes) {
        if (attribute.getName().equals("email")) {
            email = attribute.getValues().get(0);
        }
        if (attribute.getName().equals("firstName")) {
            firstName = attribute.getValues().get(0);
        }
        if (attribute.getName().equals("lastName")) {
            lastName = attribute.getValues().get(0);
        }
        if (attribute.getName().equals("fullname")) {
            fullName = attribute.getValues().get(0);
        }
    }
        :
        :
    // form and return user object
}

Considering that we use more of Java-based configuration/beans now, translating these XML configuration to Java-based configuration shouldn't be a problem.

Hope it helps.

Best Answer

Related Solutions

Java – What’s the difference between @Component, @Repository & @Service annotations in Spring

Spring Security with Openid and Database Integration

Related Topic