Spring – Security : how are login username and password bound to the authentication-provider

gwtSecurityspring-security

I am new to spring and spring security,

I have understood how beans are created and referenced in the xml files,
I need to provide security using spring into my application.

I included a custom applicationContext-security.xml file in my web.xml : contextConfigLocation

in this file, I have intercepted url patterns using 

<intercept-url pattern='/**.something' access="IS_AUTHENTICATED_FULLY"/>

inside element.

I have set the form for login as
now, if a page is not authorised it shows me my custom Login.html page.

Now for the issues I am facing:

  1. How do I specify my login form to pass its value to spring ?
  2. How do I use my own authentication-provider ?

I tried this:

<authentication-provider user-service-ref="userDetailsService"/>
<beans:bean id = "userDetailsService" class ="com.somepath.CustomAuthenticationProvider">
        <custom-authentication-provider/>
    </beans:bean>

where CustomAuthenticationProvider implements AuthenticationProvider

but the code throws an error:
Error creating bean with name '_filterChainProxy' …. No UserDetailsService registered

Please help

Best Answer

1: How do I specify my login form to pass its value to spring ?

After you setup your standard Spring Filter in web.xml for Spring Security, using some of the default settings configured by the <http> tag. An instance of AuthenticationProcessingFilter is created for you as part of the chain of filters.

My default the AuthenticationProcessingFilter is set up to read j_username and j_password as the username / password token.

In order to override this, replace your customize AuthenticationProcessingFilter over the default one by doing this:

<bean id=“myAuthFilter” class=“org.springframework.security.ui.webapp.AuthenticationProcessingFilter” >
<security:custom-filter position=“AUTHENTICATION_PROCESSING_FILTER”/><!–-replace the default one-–>
  <property name=“usernameParameter” value=“myUsername”/><!-- myUsername is the name of the input tag where user enter their username on the HTML page -->
  <property name=“passwordParameter” value=“myPassword” /><!–- myPassword is the name of the input tag where user enter their password on the HTML page -–>
</bean>

See also the JavaDoc of AuthenticationProcessingFilter for more details: http://static.springsource.org/spring-security/site/apidocs/org/springframework/security/ui/webapp/AuthenticationProcessingFilter.html

2: How do I use my own authentication-provider?

Using the following code:

<bean id="myAuthenticationProvider" class="com.something.MyAuthenticationProvider">
    <security:custom-authentication-provider />
</bean>

<security:custom-authentication-provider /> is the tag that let's spring knows this is a custom provider and the Authentication Manager should use it in its provider chain.

Source: http://static.springsource.org/spring-security/site/docs/2.0.x/reference/appendix-namespace.html#d4e3379

3: Regarding the issue with the code throwing '_filterChainProxy' .... No UserDetailsService registered...'

Is com.somepath.CustomAuthenticationProvider implementing the UserDetailService interface?

Related Topic