security:authentication-provider is hard-coded for DaoAuthenticationProvider?

[muaddib]

In simplest terms, how do I register custom AuthenticationProviders for spring-security-2.x?

I'm working with some recent snapshot of spring-webflow-samples/booking-mvc as my starting point, I'm using spring-security-2.0.0-RC1, and I'm struggling with authentication. I'm new to Acegi, so please bear with me. I've commented out the sample "security:authentication-provider" element, and am trying instead to configure a ProviderManager authenticationManager bean. All of my iterations are at best resulting in the following error:

Code:

... ProviderNotFoundException: No AuthenticationProvider found for {0}

For some background: I didn't have any problems building and running the sample application: I was able to authenticate using the sample security:authentication-provider as provided. I also didn't have any problems hooking my backend in through web-application-config.xml, and I've developed some controllers views which are successfully hitting my backend, producing the results I expect. In order to integrate with the legacy application I'm porting, I found it necessary to implement a custom AuthenticationProvider which extends AbstractUserDetailsAuthenticationProvider. I can't figure out how to configure spring-security to use this provider. Here are some relevant entries in my web-application-config.xml:

Code:

<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
  <property name="providers">
    <list>
      <ref local="myAuthenticationProvider" />
    </list>
  </property>
</bean>

<bean id="myUserDetailsService" class="com.myco.MyUserDetailsService"/>

<bean id="myAuthenticationProvider" class="com.myco.MyAuthenticationProvider"/>

<!-- Configure Spring Security -->
<security:http auto-config="true">
  <!-- restrict URLs based on role -->
  ...

<!--<security:authentication-provider>

Notice that I've commented out the security:authentication-provider element because it appears to be hard-coded only to support DaoAuthenticationProvider. Also, the altered application wouldn't run until I implemented MyUserDetailsService, despite the fact the first iteration of my custom AuthenticationProvider didn't require one.

When I dump the list of beans defined in my application context before I make my changes and after I make my changes, I see the following beans are present in the case which works, and not present in the case which doesn't work:

Code:

org.springframework.security.providers.dao.DaoAuthenticationProvider#0
_userDetailsService
org.springframework.security.config.AuthenticationProviderBeanDefinitionParser$AuthenticationProviderCacheResolver#0

Any clues? Is it folly to try to start with spring-security-2.x, rather than making something first work using Acegi-1.0.6?

[muaddib]

I asked a moment too soon. When I decorate my AuthenticationProvider like this, it gets picked up.

Code:

<bean id="myAuthenticationProvider" class="com.myco.MyAuthenticationProvider">
  <security:custom-authentication-provider/>
</bean>

BTW, the variable within the source for this string literal is misspelled: CUSTOM_AUTH_RPOVIDER rather than CUSTOM_AUTH_PROVIDER

[rishabh2u]

hey muaddib
I have a question and an answer for ya.

Answer: You dont need to use the UserDetailsService in your app. Just remove the auto-config="true" from <security:http auto-config="true"> and it should work fine. Basically auto-config="true" sets up multiple AuthenticationEntryPoints including Remmember-me which needs UserDetailsService .
Bear in mind u need to add your AuthenticationEntryPoints when u remove the auto-config="true" like this
<http>
<intercept-url pattern="/*" access="ROLE_USER" />
<form-login />
<anonymous />
<http-basic />
<logout />
</http>

Question: Can you post all the steps u took to get your customer AuthenticationProvider running.
I have wrote one and its getting loaded as a bean as well but its not getting called when i get a http request .
Here are my steps:
1)added the listiner in the web.xml
2)Added the following in my securities-context.xml
<http>
<intercept-url pattern="/*" access="ROLE_USER" />
<form-login />
<anonymous />
<http-basic />
<logout />
</http>

3)Added the following in my app contect.xml

<bean id="authenticationManager" class="org.springframework.security.providers.Prov iderManager">
<property name="providers">
<list>
<ref local="apcAuthenticationProvider" />
</list>
</property>
</bean>

<bean id="apcAuthenticationProvider" class="com.al.aig.ws.icc.APCAuthenticationProvider ">
<security:custom-authentication-provider />
</bean>

4)com.al.aig.ws.icc.APCAuthenticationProvider is as follows:

public class APCAuthenticationProvider implements AuthenticationProvider{

private static final Log log = LogFactory.getLog(LdapAuthenticationProvider.class );

public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
System.out.println("*** This is where I can put my own validation.");
return authentication;
}

public boolean supports(Class arg0) {
// TODO Auto-generated method stub
return false;
}

public APCAuthenticationProvider() {
System.out.println("*** APCAuthenticationProvider: Constructor .");

}
}

Basically all i am expecting this todo it call my authenticate method when a http request hits this web app.

Any help is appreciated.