Employing custom authentication provider

[greengold]

Hi!

My application needs to use custom authentication provider in order to authenticate against data gained from EJB.

So here is my MyUsernamePasswordAuthenticationProvider class:

Code:

package sk.skhplus.retail.controller;

import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;

import sk.skhplus.core.users.ejb.intf.UserBeanLocal;

public class MyUsernamePasswordAuthenticationProvider implements AuthenticationProvider {

	
	private UserBeanLocal userBeanLocal;
	
	public void setUserBeanLocal(UserBeanLocal userBeanLocal){
		this.userBeanLocal=userBeanLocal;
	}
	
	
	
	
	public UserBeanLocal getUserBeanLocal() {
		return userBeanLocal;
	}




	@Override
	public Authentication authenticate(Authentication auth)
			throws AuthenticationException {
		
		// checking logic here (condition will be replaced, true is just temporary)
		if(true){
			
		SecurityContextHolder.getContext().setAuthentication(auth);
		return new UsernamePasswordAuthenticationToken(auth.getName(), auth.getCredentials());   //co ma vracat a komu?
		}
		
		
		throw new BadCredentialsException("zle udaje");
  }
	
	

	//kontrola, ci/ake auth provider akceptuje tokeny
	@Override
	public boolean supports(Class<? extends Object> authentication) {
		return (UsernamePasswordAuthenticationToken.class
				.isAssignableFrom(authentication));
	}



}

and configuration:
web.xml:

Code:

<context-param>
   <param-name>contextConfigLocation</param-name>
   <param-value>
 		/WEB-INF/springmvc-servlet.xml
        /WEB-INF/security-app-context.xml
   </param-value>
</context-param>

springmvc-servlet.xml:

Code:

.
.
.
<bean id="userBean"
		class="org.springframework.jndi.JndiObjectFactoryBean">
		<property name="jndiName" value="skh-retail/UserBean/local" />
		<property name="resourceRef" value="true" />
		</bean>
		 
		
		<bean id="myUsernamePasswordAuthenticationProvider"
		class="sk.skhplus.retail.controller.MyUsernamePasswordAuthenticationProvider">
		<property name="userBeanLocal" ref="userBean" />
		</bean>

/WEB-INF/security-app-context.xml:

Code:

.
.
.
<http auto-config='true'>
    <intercept-url pattern="/**" access="ROLE_USER" />
    <form-login default-target-url="/jsp/hello.do" />
    <http-basic />
  </http>

     
     <authentication-manager>
     <authentication-provider ref="myUsernamePasswordAuthenticationProvider"/>
     </authentication-manager>

compile and deploy goes fine without any errors but when Im trying to login in browser (I expect that with this configuration (allways true condition in MyUsernamePasswordAuth. provider) anything should be accepted) Im getting just:

HTTP Status 403 - Access is denied

type Status report

message Access is denied

description Access to the specified resource (Access is denied) has been forbidden.
JBoss Web/2.1.2.GA


Can you, please, tell me where Im going wrong or what am I missing?
Thanks in advance!

[arthomps]

If I were to make a guess, you should look at your intercept url's. Maybe you need an exclusion for the login form?

http://static.springsource.org/sprin...tml#ns-minimal

[greengold]

No I dont think so... I didn't mention that login form shows, just when I log in that 403 message appearrs

I have some questions:
Whom should AuthenticationProvider return what? An authentication object? how do I construct it?
In case of UsernamePasswordAuthenticationToken, should there be mentoned users role?

I have read that spring actually does not care how SecurityContext is populated with authentication object, so when I put "SecurityContextHolder.getContext().setAuthenticat ion(auth);" -line to my authentication provider, shouldn't id be enough?of course its not right, I put it there just to test very first functionality...

Thanks for answers and advices.

[Rob Winch]

Code:

...
	@Override
	public Authentication authenticate(Authentication auth)
			throws AuthenticationException {
		
		// checking logic here (condition will be replaced, true is just temporary)
		if(true){
			
		SecurityContextHolder.getContext().setAuthentication(auth);
		return new UsernamePasswordAuthenticationToken(auth.getName(), auth.getCredentials());   //co ma vracat a komu?
		}
	}

You do not need to call SecurityContextHolder here. Return the Authentication and Spring Security will set it on the SecurityContextHolder.

compile and deploy goes fine without any errors but when Im trying to login in browser (I expect that with this configuration (allways true condition in MyUsernamePasswordAuth. provider) anything should be accepted) Im getting just:

HTTP Status 403 - Access is denied

Then Authentication you are setting does not have ROLE_USER and is not marked as authenticated (since it has no roles). Since it has no roles it means the user is correctly identified, but access is denied to them because they do not have ROLE_USER.

PS: As arthomps mentioned you will need to make the form URL and login URL public as soon as you customize it (i.e. when Spring Security isn't rendering it for you).

[greengold]

yes, that was the problem...
UsernamePasswordAuthenticationToken needed third parameter-authorities list...

so its:

Code:

@Override
	public Authentication authenticate(Authentication auth)
			throws AuthenticationException {

		allowedUsersList = new ArrayList<User>();

		allowedUsersList = userBeanLocal.getRegisteredUsers(auth.getName(),
				auth.getCredentials().toString());

		if (allowedUsersList.size()!=0) {

			return new UsernamePasswordAuthenticationToken(auth.getName(),
					auth.getCredentials(), AUTHORITIES);
		}
		throw new BadCredentialsException("zle udaje");
	}