Jun 3rd, 2008, 03:36 AM
Primary/Secondary Authentication Strategy
i'm quite newbie in the spring security domain and i'm in charge of using it to implement our authentication layer.
Our use case is the following :
For our company, we'd like to authenticate to our application using ntlm authentication but other companies should use our application with certificate-based authentication.
I see it like this, try ntlm authentication as a first step, if authentication fails, then try certificate authentication as an optionnal second step.
Can this be achieved with Spring Security ? If so, can i do this with SS base API or do i have to implement/extends some classes to get this behavior ?
do you have any leads ?
Jun 5th, 2008, 05:14 PM
It is a little more difficult to do what you just described due to the involvement of certificate authentication.
Let's rework your scenario to want NTLM for network logins, and say username/password authentication otherwise. Doing this would just require a custom AuthenticationEntryPoint. The entry point would decide whether to delegate to the normal NtlmProcessingFilterEntryPoint or the AuthenticationProcessingFilterEntryPoint. Many applications make this decision on the basis of IP addresses (eg a LAN IP address indicates an NTLM network login can be expected).
What complicates your desired configuration is the certificate authentication, which necessitates the servlet container to require a certificate to be presented as part of HTTPS channel establishment. Then use Spring Security's <x509> element to look for that certificate. Finally, you'd configure the use of the NtlmProcessingFilterEntryPoint, as if authentication is ever needed, you'll want it approached using NTLM (as they never provided a client certificate at HTTPS establishment time). You do this via the Spring Secuirty <http entry-point-ref="xxx"> element, as there are no NTLM-specific elements in the 2.0.2 namespace.
Jun 6th, 2008, 12:26 AM
thanks for answering. I need precisions on this matter.
If i use both <x509> and ntml entry point, can i specifiy which one will happen first (is it the definition order in the spring config file ?) and if the first authentication mecanism is successful (ntml in my case) can i bypass the other mecanism ?
if so, how can it be done ?
thank you again
Jun 6th, 2008, 06:39 AM
I think you're misunderstading how X.509 authentication works. It takes place at the protocol level and will either happen or not depending on whether the client submits a certificate that is acceptable to the container's SSL setup. Up to that point Spring Security hasn't been involved. When the request comes in and the client certificate is found, Spring Security will extract the user information and attempt to load authority data for that user. If the user isn't found or there is no certificate, then NTLM will be the fallback.
So the question of how you control the order (NTLM vs X.509) doesn't really make sense. If you want to force external clients to present a valid certificate then you can probably do that by configuring your web server or servlet container appropriately (it would certainly be possible with Apache).