Hi

I apologize if this is an oft-asked question, but I have not been able to find a suitable response in the forum.

I've got a very simple demo setup for spring security in my web app, involving the use of in-memory user/password credentials.

I now need to add some more controls to the authentication process, specifically:

  • Ability to integrate with 3rd party LDAP server for credentials storage
  • Ability to enforce password strength policies (e.g. length, alphanumeric characters)
  • forced password expiry after a certain configured time period
  • password lockout after a number of failed attempts


At this point being a relative newbie to Spring Security, and a definite newbie to LDAP, I'm not sure what the best way to proceed with design choices are here, or what the criteria might be for choosing the best approach e.g.

- Push as many or all of the additional features into the LDAP authentication process (presumably by subclassing various things)
- Use LDAP for credentials storage only, and implement the other features in a bespoke fashion by using a parallel JDBC-based persistant store that contains the additional attributes (e.g. date of password expiry, number of consecutive failed logins).

Any guidance would be most gratefully accepted; any sample code even more so.

Many thanks

Alan