Multiple realms, disable credentialsexpired in one of them, how?

[RoyBatty]

Hi,

ok, so my use case is that i have a webapp, with a website and a restservice for smartclients. I have a "credentialsexpired" process working for the web as per usual.

Now, i am trying to bypass that check for the restservices, but i am confused as to how.

i have two realms, one normal and one for rest:

Code:

<http pattern="/rest/**" create-session="stateless" access-decision-manager-ref="accessDecisionManager"
          use-expressions="true" realm="nubarest" entry-point-ref="restAuthenticationEntryPoint">
        <intercept-url pattern='/**' access="isAuthenticated()"/>
        <http-basic/>
    </http>

Code:

http auto-config="false" entry-point-ref="loginUrlAuthenticationEntryPoint"
          access-decision-manager-ref="accessDecisionManager" use-expressions="true" realm="nuba">

i have the authenticationmanager set up as:

Code:

<authentication-manager alias="authenticationManager">
        <authentication-provider ref="theAuthenticationProvider"/>
    </authentication-manager>
<beans:bean id="theAuthenticationProvider"
                class="xxxxxxxxx.TheDaoAuthenticationProvider">
        <beans:property name="userDetailsService" ref="userDetailService"/>
        <beans:property name="passwordEncoder" ref="passwordManager"/>
    </beans:bean>

So, what ends up happening, naturally is that the "DefaultPostAuthenticationChecks" method in the AbstractUserDetailsAuthenticationProvider, throws an AuthenticationException when the account creds are expired.


..SO, i want to disable that check ONLY for my rest realm... but keep everything else the same between realms. If anybody could nudge me in the right direction, i'd be most happy!


EDIT: to clarify, i *think* i want two authenticationproviders, one for my rest realm, and on for my web realm. I'm just not sure how to make my authenticationmanager to know to pick the right one...

[Rob Winch]

This is made a lot easier in master (the code is not released yet) since you can use http@authentication-manager-ref to specify which authentication manager to use for each http block. See https://jira.springsource.org/browse/SEC-1847 for details.

[RoyBatty]

Rwinch,

wow that's great news! Thanks.


Now, if you have the time, would you satisfy my curiosity and help me out as to how i would have done it prior?

I.e. either

1. make the authenticationmanager pick different providers based on realm OR url somehow.

2. Have only one authenticationprovider, as i have now (mine extends the DaoAuthenticationProvider), but change the "postauthenticationchecks" to a class that doesn't throw CredentialsExpired exceptions.


for 2. i have right now disabled the post authentication checks by injecting a custom "DoNothing"-UserDetailsCheckers as such:

Code:

<beans:property name="postAuthenticationChecks" ref="restPostAuthenticationChecks"/>

But this is now applied to all my http-realms since i only have one authenticationprovider and -manager, so disabled checks never happens.

I then thought i could have a special filter that does the same as the "default" postauthenticationchecks, i.e. check if the account is disabled, and only have that filter in my "non-rest" realm.

I am not sure how to do this though... and is there another, better way perhaps?

[Rob Winch]

There are a number of options you could use. Use a BeanPostProcessor as mentioned on the FAQ, avoid using the namespace for creating the objects that require the custom AuthenticationManager, etc.