Help with - Spring Security, JAAS, authentication-provider, UserDetailsService

[arunpsm]

Hi,

I am using Spring Security 2.0.1 with JAAS (J2SE 5) for a web application. I am at a loss to understand how to setup the <authentication-provider> within my security context as it expects a UserDetailsService implementation. All I have is JAAS that is supposed to provide the userDetails/authentication information.

Here is the snippet from applicationContext.xml
<bean id="jaasAuthenticationProvider"
class="org.springframework.security.providers.jaas .JaasAuthenticationProvider">
<security:custom-authentication-provider/>
<property name="loginConfig" value="/WEB-INF/login.conf" />
<property name="loginContextName" value="RDBMSLogin" />
<property name="callbackHandlers">
<list>
<bean
class="org.springframework.security.providers.jaas .JaasNameCallbackHandler" />
<bean
class="org.springframework.security.providers.jaas .JaasPasswordCallbackHandler" />
</list>
</property>
<property name="authorityGranters">
<list>
<bean
class="sample.framework.security.authorization.MyA uthorityGranter" />
</list>
</property>
</bean>


Here is the securityContext.xml

<beans:beans xmlns="...">

<http auto-config='true'>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login />
<anonymous />
<http -basic />
<logout />
<remember-me />
</http >
<authentication-provider user-service-ref='WHAT-SHOULD-I-PUT-IN-HERE?'/>
</beans:beans>

[robinbajaj]

I might be incorrect, just making an educated guess,

(Based on from what I can understand from the namespace related documentation in sectoin 2.6 at
http://static.springframework.org/sp...ns-config.html )
I would guess you should be able to do the following since you don't need the default registered DaoAuthentication provider or its userDetailsService (since you are providing your own custom Authentication provider bean)

Code:

<beans:beans xmlns="...">

	<http  auto-config='true'>
		<intercept-url pattern="/**" access="ROLE_USER" />
		<form-login />
		<anonymous />
		<http -basic />
		<logout />
		<remember-me />
	</http >

	<bean id="jaasAuthenticationProvider"
		class="org.springframework.security.providers.jaas.JaasAuthenticationProvider">
		<security:custom-authentication-provider/>
		<property name="loginConfig" value="/WEB-INF/login.conf" />
		<property name="loginContextName" value="RDBMSLogin" />
		<property name="callbackHandlers">
			<list>
				<bean
					class="org.springframework.security.providers.jaas.JaasNameCallbackHandler" />
				<bean
					class="org.springframework.security.providers.jaas.JaasPasswordCallbackHandler" />
			</list>
		</property>
		<property name="authorityGranters">
			<list>
				<bean
					class="sample.framework.security.authorization.MyAuthorityGranter" />
			</list>
		</property>
	</bean>

[arunpsm]

Thanks robinbajaj. I tried the option you mentioned, but still does not work. It still expects the UserDetailsService implementation. Anyways I will keep trying other options - may be implement UserDetailsService that interfaces with JAAS.

[Luke Taylor]

Remember-me requires a UserDetailsService, so I'm guessing that's why your configuration isn't working.

It's always a good idea to check the changelog if you aren't using the latest version. And if you have an exception, then please post it with your question (along with the contextual information from the debug log) as it makes it so much easier to provide correct solutions.

[incubator]

I tried this some months ago too without success, and I also got stuck with the authority granter implementation...
I have no idea what I should implement when using JAAS :s

and a simple

Code:

if ("someuser".equalsIgnoreCase(principle.getName()) 
      // set user role to something

isn't a very good idea....

as of this day, even without using remember-me, with the same config for the rest, I did not get JAAS with spring security to work...