DaoAuthenticationProvider authentication problem

[kibyegon]

I have a gwt 2.1 app with Spring-security(3.0.5) providing security for the app. I'm also using Hibernate 3.5.0 for persisting the data from the db.

Now there is a very weird problem that I have. The authentication only works if the user's password matches their username. for exampel if a user has the username 'user' then the password has to be 'user' for it to authenticate. If a user's password is different from their username, it spews out this error.

Code:

[DEBUG] [btpool0-0 06:58:39] (ProviderManager.java:doAuthentication:127) Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
Hibernate: select user0_.id as id0_, user0_.accountNonExpired as accountN2_0_, user0_.accountNonLocked as accountN3_0_, user0_.credentialsNonExpired as credenti4_0_, user0_.enabled as enabled0_, user0_.first_name as first6_0_, user0_.other_names as other7_0_, user0_.password as password0_, user0_.phone as phone0_, user0_.username as username0_, user0_.zone_id as zone11_0_ from users user0_ where user0_.username=?
[DEBUG] [btpool0-0 06:58:40] (DaoAuthenticationProvider.java:additionalAuthenticationChecks:69) Authentication failed: password does not match stored value
[DEBUG] [btpool0-0 06:58:40] (AbstractAuthenticationProcessingFilter.java:unsuccessfulAuthentication:318) Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
[DEBUG] [btpool0-0 06:58:40] (AbstractAuthenticationProcessingFilter.java:unsuccessfulAuthentication:319) Updated SecurityContextHolder to contain null Authentication

This is an excerpt of my applicationContext.xml

Code:

	<beans:bean id="userDetailsService"
		class="com.scarab.precisionWeb.server.auth.UserDetailsServiceImpl">
	</beans:bean>
	
	<beans:bean id="daoAuthenticationProvider"
 class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
  <beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>

<beans:bean id="authenticationManager"
    class="org.springframework.security.authentication.ProviderManager">
  <beans:property name="providers">
    <beans:list>
      <beans:ref local="daoAuthenticationProvider" />
    </beans:list>
  </beans:property>
</beans:bean>

<authentication-manager>
  <authentication-provider user-service-ref="userDetailsService">
    <!-- password-encoder hash="md5"/ -->
  </authentication-provider>
</authentication-manager>

this is my UserDetailsService implementation class

Code:

@Service("userDetailsService")
@Transactional
public class UserDetailsServiceImpl implements UserDetailsService {

	@Autowired public UserDao dao;

	public UserDetails loadUserByUsername(String username)
			throws UsernameNotFoundException, DataAccessException {
		User userEntity = dao.findByUsername(username);
		if (userEntity == null) {
			throw new UsernameNotFoundException("User not found");
		} else {
			String name = userEntity.getUsername();
			String password = userEntity.getPassword();
			boolean enabled = userEntity.isEnabled();
			boolean accountNonExpired = userEntity.isEnabled();
			boolean credentialsNonExpired = userEntity.isEnabled();
			boolean accountNonLocked = userEntity.isEnabled();
			
			

			List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
			authorities.add(new GrantedAuthorityImpl("ROLE_USER"));

			return new User(authorities, name, password, enabled,
					accountNonExpired, credentialsNonExpired, accountNonLocked);
		}
	}
}

and my RPC authentication server class

Code:

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import com.google.gwt.user.server.rpc.RemoteServiceServlet;
import com.scarab.precisionWeb.client.AuthService;



@SuppressWarnings("serial")
public class AuthServiceImpl extends RemoteServiceServlet implements AuthService {

	@Override
	public String retrieveUsername() {		
		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
		
		if (authentication==null) {
			System.out.println("Not logged in");
			return null;
		}
		else {
			return (String) authentication.getPrincipal();
		}
		
	}
	
}

The reason as to why it only allows authentication to users where their username and password match is still a mystery to me. Where I'm I going wrong. Help is highly appreciated.

[Luke Taylor]

Write a test and check that your UserDetailsService is returning the correct data.

[kibyegon]

Thanks Luke for your fast reply. I printed out the password from my UserDetailsService implementation and it is the same password in the database. Could writing a TestCase give a different result?

Sorry for asking another question within this thread, hey its Luke Taylor, I couldn't resist. I have this other problem http://stackoverflow.com/questions/5...security-login there's an answer posted that links to an issue assigned to you. Could you shed some light on how to go about this.

[pmularien]

Write a test and check that your UserDetailsService is returning the correct data.

What is the "User" object that you're returning from the UserDetailsService? It can't be the standard Spr Sec one, because the constructor arguments are in the wrong order (ref Javadoc). Verify that the implementation of your custom user class is returning the right values for the UserDetails contract.

[kibyegon]

What is the "User" object that you're returning from the UserDetailsService? It can't be the standard Spr Sec one, because the constructor arguments are in the wrong order (ref Javadoc). Verify that the implementation of your custom user class is returning the right values for the UserDetails contract.

Thanks Pmularien, I am using a custom User object. I have solved the problem. The problem was that in my UserDetailsService implementation class I was creating the User object with the wrong order of arguments. Thank you very much for your help, really appreciate it.

[pmularien]

Thanks Pmularien, I am using a custom User object. I have solved the problem. The problem was that in my UserDetailsService implementation class I was creating the User object with the wrong order of arguments. Thank you very much for your help, really appreciate it.

I'm happy that I guessed correctly, and even happier that you've solved your problem!