Spring Acegi Security how can i get the password entered (j_password)

Hi,

I'm using the Acegi Security.
I have a problem because the authentification in my company is outsourced with a WebService. :p
This WS have 2 arguments : login and password.

I would like to get the current password :mad: (sPassword in the example) into the loadByUserName(String login) method of my own class UserDetailsService, where userManagerService call my authentification WS :

Code:

---

...
public UserDetails loadUserByUsername(String login) {
                logger.info("Trying to Load the User with login: " + login + " and password PROTECTED from database and LDAP directory");
                try {
                        logger.info("Searching the user with login: " + login + " in database");

                        UserMetierImpl user = userManagerService.authenticateAndHabilitate(login, sPassword);

                        ...

                        logger.debug("Create User for acegi features for User with login: " + login);
                        org.acegisecurity.userdetails.User acegiUser = new org.acegisecurity.userdetails.User( login, user.getPasswordUser(), true, true, true, true, arrayAuths);
                        logger.info("user with login: " + login + " authenticated");

                        return acegiUser;
                } catch (DataAccessException e) {
                        logger.error("Cannot retrieve Data from Database server : " + e.getMessage() + ". Authentication failed for user " + login);
                        throw new UsernameNotFoundException("user not found", e);
                }
        }

---

I don't have any access to the LDAP directory.

Someone know how can I do ?

Thanks in advance,

Denis

As the method name already gives away you only have the username.

Instead of using a UserService you need to write your own AuthenticationProvider instead of using the DaoAuthenticationProvider (which uses the UserDetailsService). That way you have access to the username and password.

You're right i implements my own AuthenticationProvider like that :

Code:

---

import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.providers.AuthenticationProvider;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.apache.log4j.Logger;

import mypackage.CustomUserDetails;
import mypackage.AuthentificationException;
import mypackage.AuthentificationService;

public class CustomAuthenticationProvider implements AuthenticationProvider {

        private Logger logger = Logger.getLogger(CustomAuthenticationProvider.class);
       
        private AuthentificationService authentificationService = null;

        /**
        * setter to allows spring to inject AuthentificationService implementation
        *
        * @param authentificationService
        *            : object (implementation of AuthentificationService interface) to
        *            inject.
        */
        public AuthentificationService getAuthentificationService() {
                return authentificationService;
        }
        public void setAuthentificationService(AuthentificationService authentificationService) {
                this.authentificationService = authentificationService;
        }

        public Authentication authenticate(Authentication auth) throws AuthenticationException {
                //All your user authentication needs
                logger.info("============================== Authenticate Me =========================================");

                try {
                        logger.info("=========== CustomAuthenticationProvider authenticate - START ===============");
                        CustomUserDetails user = authentificationService.authenticateAndHabilitate((String)auth.getPrincipal(), (String)auth.getCredentials());
                       
                        logger.info("=========== CustomAuthenticationProvider authenticate - END ===============");
                        return new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword(), user.getAuthorities());//AUTHORITIES
                       
                } catch (AuthentificationException e) {
                        logger.error("=========== CustomAuthenticationProvider - AuthentificationException ===============");
                        logger.error("Username/Password does not match for " + auth.getPrincipal());
                        throw new BadCredentialsException("Username/Password does not match for " + auth.getPrincipal());
                }               
        }

        @SuppressWarnings("unchecked")
        public boolean supports(Class authentication) {
                return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
        }

}

---

And it works perfectly thank you !

Thanks Denis13 for your AuthenticationProvider sample.
Can you show us your mypackage.CustomUserDetails too ?