Results 1 to 4 of 4

Thread: disabling default RememberMeAuthenticationProvider

Hybrid View

  1. Mar 14th, 2011, 09:14 AM #1
    sand_sio2
    sand_sio2 is offline Junior Member
    Join Date
    Oct 2010
    Posts
    8

    Default disabling default RememberMeAuthenticationProvider

    By default RememberMeAuthenticationProvider of Spring is called for remember me authentication, how can i disable that.
    I tried by inserting property List of AuthenticationProviders, it didn't work .
    Code:
    <security:http access-decision-manager-ref="accessDecisionManager" access-denied-page="/home.htm?failed=true">
   	<security:session-management session-authentication-strategy-ref="sessionFixation" invalid-session-url="/home.htm" />
    	<security:intercept-url pattern="/myaccount_landing_page.htm" access="ROLE_CUSTOMERGROUP,ROLE_EMPLOYEEGROUP" requires-channel="https" />
    	<security:port-mappings>
    		<security:port-mapping http="9001" https="9002" />
    		<security:port-mapping http="80" https="443" />
    	</security:port-mappings>
    	<security:form-login login-page="/standardlogin.htm" authentication-success-handler-ref="authenticationSuccessHandler"  authentication-failure-handler-ref="authenticationFailureHandler" />
    	<security:logout logout-url="/j_spring_security_logout" logout-success-url="/home.htm" invalidate-session="true" />
    	<security:anonymous username="anonymous" />
    	<security:remember-me services-ref="rememberMeServices" key="88336b5bb2a1cc21bac7cf33fd451270"/>
    </security:http>
    
    <bean id="sessionFixation" class="de.hybris.platform.servicelayer.security.spring.HybrisSessionFixationProtectionStrategy"/>
    
    <security:global-method-security secured-annotations="enabled" access-decision-manager-ref="accessDecisionManager"/>
   	
   	<security:authentication-manager alias="theAuthenticationManager">
				<security:authentication-provider ref="authenticationProvider" />
				<security:authentication-provider ref="ecomRememeberMeAuthenticationProvider"/>
	</security:authentication-manager>
	
	<bean id="authenticationSuccessHandler" class="com.entertainment.ecom.web.auth.EcomAuthenticationSuccessHandler">
	 <constructor-arg value="/firstpage.htm"></constructor-arg>
	</bean>
	
	<bean id="authenticationFailureHandler" class="com.entertainment.ecom.web.auth.EcomAuthenticationFailureHandler">
        <constructor-arg value="/home.htm?failed=true"></constructor-arg>
	</bean>
	
    <bean id="authenticationProvider" parent="ecomAuthenticationProvider" scope="tenant"/>
    
	<bean id="ecomAuthenticationProvider" class="com.entertainment.ecom.web.auth.EcomAuthenticationProvider" scope="tenant" abstract="true" />
	
	<util:set id="authorizedGroups" value-type="java.lang.String">
		<value>customergroup</value>
	</util:set>
	
    <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
		<property name="decisionVoters">
			<list>
				<bean id="notInitializedVoter" class="de.hybris.platform.spring.security.voter.HybrisNotInitializedVoter" />
				<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" />
				<bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter" />
			</list>
		</property>
	</bean>
	
	
	<bean id="ecomUserDetailsService" class="com.entertainment.ecom.web.auth.EcomUserDetailsService"/>
	
	
	<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
	 	 <property name="authenticationManager" ref="theAuthenticationManager"/>
	 	 <property name="filterProcessesUrl" value="/j_spring_security_check"/>
	 	 <property name="rememberMeServices" ref="rememberMeServices"/>
		 <property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
		 <property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"/>
	</bean> 
	
	<bean id="rememberMeFilter" class=
		"org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
		<property name="rememberMeServices" ref="rememberMeServices"/>
		<property name="authenticationManager" ref="theAuthenticationManager" />
	</bean>
	
	<bean id="rememberMeServices" class=
		"org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
		<property name="userDetailsService" ref="ecomUserDetailsService"/>
		<property name="key" value="88336b5bb2a1cc21bac7cf33fd451270"/>
		<property name="parameter" value="_spring_security_remember_me"/>
 	  	<property name="cookieName" value="ENTC"/>
  	    <property name="tokenValiditySeconds" value="80000"/>
	</bean>
	
	<bean id="ecomRememeberMeAuthenticationProvider" parent="rememberUserAuthenticationProvider" scope="tenant" />
	
	<bean id="rememberUserAuthenticationProvider" class=
		"com.entertainment.ecom.web.auth.EcomRememeberMeAuthenticationProvider" scope="tenant" abstract="true">
		<property name="key" value="88336b5bb2a1cc21bac7cf33fd451270"/>
	</bean>
	
	<bean id="myfilterChainProxy" class="org.springframework.security.web.FilterChainProxy">
     <security:filter-chain-map path-type="ant">
         <security:filter-chain pattern="/firstpage.htm" filters="authenticationFilter,rememberMeFilter"/>
     </security:filter-chain-map>
 	</bean>
    Last edited by sand_sio2; Mar 14th, 2011 at 11:13 AM.
    Reply With Quote Reply With Quote
  2. Mar 14th, 2011, 06:05 PM #2
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,826

    Default

    I'm not sure what you mean by disable RememberMeAuthenticationProvider. You can disable remember me by removing the <security:remember-me /> element. If this is not what you meant, can you please elaborate?
    Rob Winch - @rob_winch
    Spring Security Lead
    Pivotal
    Reply With Quote Reply With Quote
  3. Mar 15th, 2011, 08:05 AM #3
    sand_sio2
    sand_sio2 is offline Junior Member
    Join Date
    Oct 2010
    Posts
    8

    Default want to call custom RememberMe authentication provider first

    if we configure
    Code:
    <security:remember-me services-ref="rememberMeServices" key="88336b5bb2a1cc21bac7cf33fd451270"/>
    Spring will try to authenticate the request with org.springframework.security.authentication.Rememb erMeAuthenticationProvider when Authentication object is of type RememberMeAuthenticationToken .

    The authentication providers in the following configuration will be called only after the default authentication provider above.
    Code:
    <security:authentication-manager alias="theAuthenticationManager">
				<security:authentication-provider ref="authenticationProvider" />
				<security:authentication-provider ref="ecomRememeberMeAuthenticationProvider"/>
	</security:authentication-manager>
    But i want to use custom authentication provider without changing RememberMeservices, RememberMeAuthenticationToken, RememberMeAuthenticationFilter
    Last edited by sand_sio2; Mar 15th, 2011 at 08:24 AM.
    Reply With Quote Reply With Quote
  4. Mar 15th, 2011, 08:56 AM #4
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,826

    Default

    If you want to customize remember me authentication, I would provide a custom RememberMeServices (that perhaps just extends one of the current implementations). This is easier to hook in using the namespace configuration and since the RememberMeServices.autoLogin method is already doing authentication it logically makes sense to do.

    If you really want a custom AuthenticationProvider instead of using a custom RememberMeServices, you can use standard bean configuration for remember me (See the source for AuthenticationConfigBuilder on what the namespace does) or a BeanPostProcessor as mentioned in the FAQ.
    Rob Winch - @rob_winch
    Spring Security Lead
    Pivotal
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules