Can't hit custom AuthenticationProvider

**kostepanych** · Jan 14th, 2011, 09:53 AM

I created custom AuthenticationProvider and post the request to "/j_spring_security_check" with parameters "j_username" and "j_password".
But I don't hit this provider class. Why?

Here is configuration:

Code:

   <security:http>
        <security:intercept-url pattern="/js/**" filters="none"/>
        <security:intercept-url pattern="/images/**" filters="none"/>
        <security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
        <security:intercept-url pattern="/secured/**" access="ROLE_SECURED" />
        <security:form-login login-page='/login.action'/>
    </security:http>
    
<security:authentication-manager>
    <security:authentication-provider ref="myAuthenticationProvider"/>
</security:authentication-manager>

    <bean id="myAuthenticationProvider" class="MyAuthenticationProvider"/>


public class MyAuthenticationProvider implements AuthenticationProvider 
{

    public Authentication authenticate(Authentication authentication) throws AuthenticationException
    {
         //I never hit this class

**amiladomingo** · Jan 14th, 2011, 10:20 AM

Do you have the following filter defined in your web.xml?

Code:

	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

**kostepanych** · Jan 14th, 2011, 11:14 AM

Originally Posted by amiladomingo

Do you have the following filter defined in your web.xml?

Code:

	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

Yes. I can't access secured urls, this means - this filter works.
But why I don't hit MyAuthenticationProvider?

**Rob Winch** · Jan 14th, 2011, 11:27 AM

Did you ensure to properly implement MyAuthenticationProvider.supports method properly? If you never return true the authenticate method will never be called.

**amiladomingo** · Jan 14th, 2011, 11:38 AM

Can you post MyAuthenticationProvider implementation?

Other thing is why can't you extend the AbstractUserDetailsAuthenticationProvider. if you extend this, you'll only have to implement additionalAuthenticationChecks and retrieveUser. But this class is meant to be extended by classes that indent to work with UserDetails and UsernamePasswordAuthenticationToken.

**kostepanych** · Jan 15th, 2011, 01:07 PM

Did you ensure to properly implement MyAuthenticationProvider.supports method properly? If you never return true the authenticate method will never be called.

MyAuthenticationProvider.supports??? What is it? Can't find it in reference.

Other thing is why can't you extend the AbstractUserDetailsAuthenticationProvider. if you extend this, you'll only have to implement additionalAuthenticationChecks and retrieveUser. But this class is meant to be extended by classes that indent to work with UserDetails and UsernamePasswordAuthenticationToken.

Can you post links to samples with such implementations?

**amiladomingo** · Jan 15th, 2011, 01:22 PM

Sample implementation. Inject your UserDao (or any other class that provides a way to retrieve user details) to this class and retrieve the user from it (inside retrieveUser method).

Code:

public class AuthenticationProvider extends
		AbstractUserDetailsAuthenticationProvider {

	@Override
	public UserDetails retrieveUser(String userName,
			UsernamePasswordAuthenticationToken authentication) {

		// Add the logic that will retrieve the user details (user account
		// statuses and granted authorities)
		return null;
	}

	@Override
	protected void additionalAuthenticationChecks(
			org.springframework.security.core.userdetails.UserDetails userDetails,
			UsernamePasswordAuthenticationToken authentication)
			throws AuthenticationException {
		// Add any additional checks of a returned UserDetails
	}
}

Extending AbstractUserDetailsAuthenticationProvider saves you from not implementing supports method

**kostepanych** · Jan 17th, 2011, 03:49 AM

Maybe I understand something wrong...
I guess I must hit method AuthenticationProvider.retrieveUser (or AuthenticationProvider.authenticate) after posting request to to "/j_spring_security_check" with parameters "j_username" and "j_password".
Is it correctly?

**amiladomingo** · Jan 17th, 2011, 04:12 AM

Hey, try something like this,

Code:

<security:authentication-manager>
    <security:authentication-provider>
      <security:user-service>
        <security:user name="jimi" password="jimi" authorities="ROLE_ADMIN" />
        <security:user name="bob" password="bob" authorities="ROLE_SECURED" />
      </security:user-service>
    </security:authentication-provider>
  </security:authentication-manager>

If this works, then we know there is nothing wrong with the way you have configured JSPs, web.xml and FilterChainProxy

**kostepanych** · Jan 17th, 2011, 04:48 AM

Originally Posted by amiladomingo

Hey, try something like this,

Code:

<security:authentication-manager>
    <security:authentication-provider>
      <security:user-service>
        <security:user name="jimi" password="jimi" authorities="ROLE_ADMIN" />
        <security:user name="bob" password="bob" authorities="ROLE_SECURED" />
      </security:user-service>
    </security:authentication-provider>
  </security:authentication-manager>

If this works, then we know there is nothing wrong with the way you have configured JSPs, web.xml and FilterChainProxy

Yes, it works. But I when I use custom AuthenticationProvider, can't hit neither AuthenticationProvider.retrieveUser nor AuthenticationProvider.authenticate.

Thread: Can't hit custom AuthenticationProvider

Thread Tools

Display

Can't hit custom AuthenticationProvider

Posting Permissions