How to get the Password for A Customer UserDetailsService?

[ronnielu]

Using Acegi-Security-1.0.6, I coded a customer UserDetailsService and implemented the loadUserByUsername(String userName) method.

In the loadUserByUsername(String userName) method, I need to call my company's corp authentication service to get the user roles. Trouble is my company requires both userName and password for authentication, but I can only get userName from the method param. How can I get the password the user typed in the login form?

Thanks for anyone who can shed a light on this.

[ronnielu]

I subclassed the AuthenticationProcessingFilter and combined userName:assword together, then did a split in the loadUserByUsername method.

Works now, but is it the proper way of doing it?

Thanks.

[ram.gaurav]

There is also one possibility that when you create your own custom Authentication Processing Filter then in that just override one method named "onPreAuthentication" which actually belongs to AbstractProcessingFilter and in that when you called obtainPassword then it will give you the password.just check the below code it might help you:

@Override
protected void onPreAuthentication(HttpServletRequest httpservletrequest,
HttpServletResponse httpservletresponse)
throws AuthenticationException, IOException
{
// TODO Auto-generated method stub
super.onPreAuthentication(httpservletrequest, httpservletresponse);

System.out.println("--- password --- "+obtainPassword(httpservletrequest));
}

and from here you can put into the session, but i am also confused that how to retrieve this password from session in any other class.

Thanks
Gaurav

[ronnielu]

Thanks ram. I was thinking the same way, but can't figure out how to get the password out later.

Here is what I did:

1. Make a custom class as the AuthenticationProcessingFilter, make
username = username.trim() + "::" + password.trim();

public class MyAuthenticationProcessingFilter extends AuthenticationProcessingFilter {
public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException {
String username = obtainUsername(request);
String password = obtainPassword(request);

if (username == null) {
username = "";
}

if (password == null) {
password = "";
}

//username = username.trim();
username = username.trim() + "::" + password.trim();

UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

// Place the last username attempted into HttpSession for views
HttpSession session = request.getSession(false);

if (session != null || getAllowSessionCreation()) {
request.getSession().setAttribute(SPRING_SECURITY_ LAST_USERNAME_KEY, username);
}

// Allow subclasses to set the "details" property
setDetails(request, authRequest);

return this.getAuthenticationManager().authenticate(authR equest);

}
}

2. You will receive string username.trim() + "::" + password.trim() in your custom UserDetailsService class, loadUserByUsername(String userName), as userName input. The password is not encrypted, and you can go from there...

public UserDetails loadUserByUsername(String userName) {
//userName received is username.trim() + "::" + password.trim()
//password is not encrypted
}

3. I can wire the MyAuthenticationProcessingFilter in version 1.0.6, but not in version 2.0.0.RC1, see another thread for detail...

[jontro]

How about rolling your own implementation of AuthenticationProvider ?

[ronnielu]

There are some thoughts of doing that and store the password as a ThreadLocal variable, never tried myself though.

My current approach can get the job done in my case, the only problem I have right now is how to wire the CustomFilter into security version 2.0.

Copied from the other thread for doing it and the current problem...

<beans:bean class="MyCustomAuthenticationProcessingFilter">
<custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
</beans:bean>

(This assumes that you've declared the security namespace as the root
namespace of the XML.)

<custom-filter> takes 3 attributes, one of either after, before, or
position. The after and before attributes let you inject a custom filter
into the existing filter chain, while position allows you to replace one
of the filters in the chain with a custom filter.

However, however, the newest spring security jars I can find is still 2.0.0-RC1 which released on 04/01. This package only supports before and after two attributes in the <custom-filter>, not the position attribute. Guess I have to wait for the final jar files.