Custom Spring Authentication

[navid]

Hi,

We have an application which stores user's credentials on a remote-service's database.

We have written classes which lets us know whether a uname and pw
are valid or not in remote-service.

I wonder how can I customise spring-security's default behaviour and integrate it with those classes to authenticate users?

I'm using spring-security 3.0

Any help appreciated.

[Rob Winch]

First I would setup a working example with the in memory authentication that Spring Security offers. You can refer to one of the sample applications for a working example. After you have done this, write a custom AuthenticationProvider and include it in your Spring Security configuration. The AuthenticationProvider.supports method should return true for UsernamePasswordAuthenticationToken.class. The authenticate method should validate the username password by calling your remote service. Upon doing so it should create an Authentication object (i.e. UsernamePasswordAuthenticationToken) that indicates it is authenticated (you do this by calling the constructor which has granted authorities).

HTH,

[navid]

Thanks Rob,

I just wrote and Configured my custom AuthenticationProvider.
And It just worked!

Now authentication.getAuthorities() returns an empty array.
I wonder how can I add an authority to authentication object ?

[Rob Winch]

When you create the authentication object you need to pass in the GrantedAuthority's you want. If you need to modify the values you need to create a new instance of that object with the new values. The Authentication objects are immutable since the Authentication is used over multiple threads.