May 9th, 2011, 01:50 PM
Combining two authentication providers
I´m having the current problem which I cant really figure out how to solve: I want to use two authentication providers and combine them like this:
First provider will check a local database if the username exists, no password is stored here. I will also retrieve roles from this database. If this step succeeds, we will continue to the next step:
A CAS-authentication using Spring Security:s standard implementation.
What I would like to do is: Fetch roles from the first step and then fetch username/password in the second step. Any suggestions on how I should solve this?
May 10th, 2011, 08:33 AM
What is the goal in validating the username/password and then performing CAS authentication afterwards? This approach no longer allows for Single Sign On, so as I understand your goal it seems that CAS has lost its value.
May 10th, 2011, 08:40 AM
Our problem is that we have some data that needs to be stored in a local database. This data includes a username which indicates that the user is authorized for our system. We also store User Roles in our local database. CAS will be responsible for validating the password.
May 10th, 2011, 08:50 AM
I apologize, I misread your post to state that there was a password. What I am curious about is why you are trying to obtain the password. One of the goals of CAS is to keep the password limited to the scope of the CAS Server. Instead it uses one time use tickets. This helps to increase security.
The way this would normally work is you would obtain the username from the CAS response (thus the CAS Authentication must be first) and then you would lookup the roles using a UserDetailsService. The lookup could be in whatever store you like (i.e. in memory, database, ldap, etc). If you look at the CAS chapter it demonstrates how to wire in the UserDetailsService. Of course you can also wire in a custom AuthenticationUserDetailsService instead. You might read through the How CAS Works section of the 3.1 chapter to see how Spring Security works with CAS. Please note that some features in 3.1.x are not available in 3.0.x.
May 10th, 2011, 09:09 AM
Thanks for your reply! I will look at the docs again, I must have missed the section you refer to.