3.0.2 and WebAuthenticationDetails

**amosca** · Nov 2nd, 2010, 06:35 PM

I'm using Spring security 3.0.2.
I've got a custom provider custom authentication provider that logs me in just fine using usernmae and password.
I need to grab another parameter off the http request to complete the authentication.
I subclassed WebAuthenticationDetails, added my third atribute and set it in doPopulateAdditionalInformation(HttpServletRequest request).
I added <bean/> entries to ask Spring to substitute my class for WebAuthenticationDetails.
In my authenticate(Authentication authentication) I call getDetails(). It's not my subclass.
Is this approach sound?
If so, what am I missing?

<beans:bean id="webAuthenticationDetails" class="com.my.security.IWebAuthenticationDetails">
</beans:bean>

<beans:bean id="authenticationDetailsSource"
class="org.springframework.security.authentication .AuthenticationDetailsSourceImpl">
<beans

roperty name="clazz" value="com.my.security.IWebAuthenticationDetails">
<ref local="webAuthenticationDetails"></ref>
</beans

roperty>
</beans:bean>

Thanks!

**pmularien** · Nov 3rd, 2010, 05:21 AM

I'm confused - are you building your entire Spring Security configuration using explicit bean configuration, or are you trying to use bean configuration to override configuration using the security XML namespace (e.g. are you using the <http> element at all)?

**Luke Taylor** · Nov 3rd, 2010, 05:26 AM

For future compatibilty, don't use doPopulateAdditionalInformation as I just removed it for 3.1 :-). Set any values in your constructor. AuthenticationDetailsSourceImpl is also deprecated. Just write your own which returns the correct type.

**amosca** · Nov 3rd, 2010, 10:45 AM

Thanks for heads up Luke.
I relocated my doPopulateAdditionalInformation() code to my constructor.
But with 3.0.2 should this work?

Say I write my own implementation of AuthenticationDetailsSource, how do I tell Spring to use it?

**Luke Taylor** · Nov 3rd, 2010, 10:48 AM

Originally Posted by amosca

Say I write my own implementation of AuthenticationDetailsSource, how do I tell Spring to use it?

Where do you want it used? You need to inject it into the corresponding filter. Just adding a bean to your configuration won't do anything.

**amosca** · Nov 3rd, 2010, 03:04 PM

I have a slighlt different approach.
I got it from an eBook I just bought, Spring Security 3 (someone with your name wrote the forward).
Please help.

--I subclassed UsernamePasswordAuthenticationToken as BrandUsernamePasswordAuthenticationToken.
Brand is an attribute of the class.
--I created subclassed AbstractAuthenticationProcessingFilter to capture brand from the request
BrandAuthenticationFilter extends AbstractAuthenticationProcessingFilter
In attemptAuthentication(..) it captures a brand name from the http request
It news up a BrandUsernamePasswordAuthenticationToken and sends it to my custom security provider
BrandUsernamePasswordAuthenticationToken authRequest = new BrandUsernamePasswordAuthenticationToken(username, password, brand);
return getAuthenticationManager().authenticate(authReques t);
--My custom provider uses username, pasword and brand to authenicate
CustomAuthenticationProvider implements AuthenticationProvider
--I want Spring to send a BrandUsernamePasswordAuthenticationToken to this method
public Authentication authenticate(Authentication authentication)

I don't know how to inject my Filter so that Spring uses it and passes it to my security provider.

**pmularien** · Nov 4th, 2010, 05:43 AM

Well, you did all the hard work already, injecting the filter should be easy

If you are using the <http> (security namespace) style of configuration, you need to determine if you are replacing an existing filter or adding a new one in between existing filters in the chain. You do this with the custom-filter element, which is documented in the reference manual here.

If you are configuring using explicit Spring Bean configuration, you'll define your filter bean and manually adjust the filter chain you've defined by adding or replacing bean references.

Hope that helps! If everything is set up right, you should see that, upon authentication, the filter provides the correct type of Authentication token implementation, and this is then made available to the AuthenticationProvider at the time of authentication. I'd strongly suggest using a debugger if you find this isn't working as you'd expect.

**amosca** · Nov 4th, 2010, 02:35 PM

Thanks again
Using http configuration with a before attribute on the custom filter my filter is never invokded.
Using http configuration with a position attribute on the custom filter I get a statup error
org.springframework.beans.factory.parsing.BeanDefi nitionParsingException: Configuration problem:
I attached a text file with more detail

**sdt_dev** · Nov 17th, 2010, 09:00 PM

amosca, Did you get a solution to that startup error ?

**amosca** · Nov 19th, 2010, 11:00 AM

yep, a co-worker put two missing pieces in place. The new filter needed some care and feeding.

1) properties elements in filter setup
<beans:bean id="brandLoginFilter" class="com.my.security.BrandAuthenticationProcessi ngFilter">
<beans

roperty name="authenticationManager" ref="authenticationManager"/>
<beans

roperty name="successHandler" ref="homeController"/>
<beans

roperty name="failureHandler" ref="homeController"/>
</beans:bean>
2) set the url in the constructor
protected BrandAuthenticationProcessingFilter() {
super("/my/login");

Thanks for all the help!

Thread: 3.0.2 and WebAuthenticationDetails

Thread Tools

Display

3.0.2 and WebAuthenticationDetails

Yeah, I don't know how to configure the Filters.

Round 3

Final round

Tags for this Thread

Posting Permissions