using multiple authentication providers

[raja_s_patil]

hello,

I am learning Spring and spring security. I want to use multiple authentication
providers and authenticate user if any one of them succeeds. My config is

Code:

<?xml version = "1.0" encoding = "UTF-8"?>
<beans xmlns = "http://www.springframework.org/schema/beans"
	   xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
	   xmlns:security = "http://www.springframework.org/schema/security"
	   xsi:schemaLocation = "http://www.springframework.org/schema/beans
		http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
		http://www.springframework.org/schema/security
		http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

	<!-- ========================  HTTP Filters  ======================== -->
	<security:http auto-config = "true">
		<security:intercept-url pattern = "main.html" filters = "none"/>
		<security:intercept-url pattern = "index.html" filters = "none"/>
		<security:intercept-url pattern = "*.swf" filters = "none"/>
		<security:intercept-url pattern = "*.html" filters = "none"/>
	</security:http>

	<!-- ========================  Authentication Manager-Providers  ======================== -->
	<bean id = "authenticationManager"
		  class = "org.springframework.security.providers.ProviderManager">
		<property name = "providers">
			<list>
				<ref local = "customAuthenticationProvider"/>
				<ref local = "inMemoryAuthenticationProvider"/>
			</list>
		</property>
	</bean>

	<!-- ========================  Custom Authentication Provider  ======================== -->
	<bean id = "customAuthenticationProvider"
		  class = "org.springframework.security.providers.dao.DaoAuthenticationProvider">
		<property name = "userDetailsService" ref = "customUserDetailsService"/>
	</bean>
	<bean id = "customUserDetailsService"
		  class = "com.ch9.secu.flex.services.MyUserDetailsService"/>

	<!-- ========================  inMemory Authentication Provider  ======================== -->
	<bean id = "inMemoryAuthenticationProvider"
		  class = "org.springframework.security.providers.dao.DaoAuthenticationProvider">
		<property name = "userDetailsService" ref = "inMemoryUserDetailsService"/>
	</bean>
	<bean id = "inMemoryUserDetailsService"
		  class = "org.springframework.security.userdetails.memory.InMemoryDaoImpl">
		<property name = "userMap">
			<value>
			 katiebug=test, ROLE_USER, ROLE_ADMIN"
			 colie=test, ROLE_USER
			</value>
		</property>
	</bean>

</beans>

I am getting exception as below, Can somebody suggest me correct
way of implementing .

Thanks and best regards

Raja

Code:

2010-01-03 02:25:17 main- [ERROR] == 
Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainProxy': Initialization of bean failed; 
nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainList': Cannot resolve reference to bean '_rememberMeFilter' while setting bean property 'filters' with key [6]; 
nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_rememberMeFilter': Cannot resolve reference to bean '_rememberMeServices' while setting bean property 'rememberMeServices';
nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_rememberMeServices': Initialization of bean failed; 
nested exception is org.springframework.security.config.SecurityConfigurationException:
More than one UserDetailsService registered. Please use a specific Id in your configuration
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:480)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)

[pmularien]

As you can see, the exception is coming from the RememberMeServices implementation, which will only work with a single UserDetailsService. You need to either disable remember me, or reconfigure it to point to one of the two UserDetailsServices that you've configured.

[raja_s_patil]

Thanks pmularien,

As you can see, the exception is coming from the RememberMeServices implementation, which will only work with a single UserDetailsService. You need to either disable remember me, or reconfigure it to point to one of the two UserDetailsServices that you've configured.

As u have suggested I could get that working as follows

Code:

<!-- ========================  HTTP Filters  ======================== -->
	<security:http auto-config = "true">
		<security:intercept-url pattern = "main.html" filters = "none"/>
		<security:intercept-url pattern = "index.html" filters = "none"/>
		<security:intercept-url pattern = "*.swf" filters = "none"/>
		<security:intercept-url pattern = "*.html" filters = "none"/>
		<security:remember-me user-service-ref="customUserDetailsService" key="springRocks"/>
	</security:http>


	<!-- ========================  Authentication Manager-Providers  ======================== -->
	<bean id = "authenticationManager"
		  class = "org.springframework.security.providers.ProviderManager">
		<property name = "providers">
			<list>
				<ref local = "customAuthenticationProvider"/>
				<ref local = "inMemoryAuthenticationProvider"/>
			</list>
		</property>
	</bean>

now i want to learn the second part i.e. How to disable the remember me service altogether. I could not locate config for the same.

Can somebody point me to that ? BTW can somebody suggest me good reading
material (book/blog/article etc. etc.) about spring security which will help me
in getting good knowledge about tags and concepts.

Thanks and best regards.

Raja

[pmularien]

Well... you could disable it simply by removing the <remember-me> directive altogether (and most likely adjusting your login page to match)

[pmularien]

I would also suggest reading the manual (if you haven't already), as Luke and crew have spent a lot of time on it, and it's well-written and straightforward to read.

[raja_s_patil]

Thanks pmularien,

Well... you could disable it simply by removing the <remember-me> directive altogether (and most likely adjusting your login page to match)

I do this and check whether it works

Code:

<security:http auto-config = "true">
     . . .
		<security:remember-me/>	</security:http>
</security:http>

I can remove it completely but that will causes exception as it was earlier.

I dont have login page since I am using it with Flex. But one peculiar Thing I noticed
that If I login with some user name password then if I try to login for second time
the browser is not responding back. But if I restart the tomcat server I can login
again. There are some exceptions at tomcat console. I will check it again with
disabling the remember-me and let u know.

I would also suggest reading the manual (if you haven't already), as Luke and crew have spent a lot of time on it, and it's well-written and straightforward to read.

yes I do agree with you but I am unable to locate such finer details since even on
web examples are missing. For spring I found some books explaining concepts
and sample configs but for security I could not find much examples. But the
manual explains concepts very well I feel that some concrete examples for
common configurations will be more helpful.

Thanks and best regards

Raja

[raja_s_patil]

Well I tried with following but it too resulted in exceptions

Code:

 
<security:http auto-config = "true">
         . . .
        <security:remember-me/>	
</security:http>

Finally I thought of a work around I dont know whether its correct way.

Code:

	<security:http auto-config = "true">
		<security:intercept-url pattern = "main.html" filters = "none"/>
		<security:intercept-url pattern = "index.html" filters = "none"/>
		<security:intercept-url pattern = "*.swf" filters = "none"/>
		<security:intercept-url pattern = "*.html" filters = "none"/>
		<security:remember-me user-service-ref = "dummyUserDetailsService"
							  key = "springRocks"/>
	</security:http>


	<!-- ========================  dummyUserDetailsService for Remember-me ======================== -->
	<bean id = "dummyUserDetailsService"
		  class = "org.springframework.security.userdetails.memory.InMemoryDaoImpl">
		<property name = "userMap">
			<value>
			</value>
		</property>
	</bean>

Now all exceptions are gone and I can login multiple times. But still I feel that
there should be some way to disable remember-me service with auto-config=true

If somebody knows please reveal the trick

Final security-config.xml which suits my needs is as follows

<?xml version = "1.0" encoding = "UTF-8"?>
<beans xmlns = "http://www.springframework.org/schema/beans"
xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
xmlns:security = "http://www.springframework.org/schema/security"
xsi:schemaLocation = "http://www.springframework.org/schema/beans
http://www.springframework.org/schem...-beans-2.5.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">


<!-- ======================== HTTP Filters ======================== -->
<security:http auto-config = "true">
<security:intercept-url pattern = "main.html" filters = "none"/>
<security:intercept-url pattern = "index.html" filters = "none"/>
<security:intercept-url pattern = "*.swf" filters = "none"/>
<security:intercept-url pattern = "*.html" filters = "none"/>
<security:remember-me user-service-ref = "dummyUserDetailsService"
key = "springRocks"/>
</security:http>


<!-- ======================== dummyUserDetailsService for Remember-me ======================== -->
<bean id = "dummyUserDetailsService"
class = "org.springframework.security.userdetails.memory.I nMemoryDaoImpl">
<property name = "userMap">
<value>
</value>
</property>
</bean>


<!-- ======================== Authentication Manager-Providers ======================== -->
<bean id = "authenticationManager"
class = "org.springframework.security.providers.ProviderMa nager">
<property name = "providers">
<list>
<ref local = "customAuthenticationProvider"/>
<ref local = "inMemoryAuthenticationProvider"/>
</list>
</property>
</bean>


<!-- ======================== Custom Authentication Provider ======================== -->
<bean id = "customAuthenticationProvider"
class = "org.springframework.security.providers.dao.DaoAut henticationProvider">
<property name = "userDetailsService" ref = "customUserDetailsService"/>
</bean>
<bean id = "customUserDetailsService"
class = "com.ch9.secu.flex.services.MyUserDetailsServi ce"/>


<!-- ======================== inMemory Authentication Provider ======================== -->
<bean id = "inMemoryAuthenticationProvider"
class = "org.springframework.security.providers.dao.DaoAut henticationProvider">
<property name = "userDetailsService" ref = "inMemoryUserDetailsService"/>
</bean>
<bean id = "inMemoryUserDetailsService"
class = "org.springframework.security.userdetails.memory.I nMemoryDaoImpl">
<property name = "userMap">
<value>
katiebug=test, ROLE_USER, ROLE_ADMIN"
colie=test, ROLE_USER
</value>
</property>
</bean>


</beans>

[pmularien]

Ah, I apologize, I have been working with Spring Sec 3 and not 2 for several months. In Spring Sec 3, SEC-1044 (http://jira.springframework.org/browse/SEC-1044) indicates that the automatic configuration changed to remove inclusion of remember-me (since it caused confusion! ).

For Spring Sec 2, what you describe (creating a no-op UserDetailsService) is basically the best choice, or you could simply disable auto-config and replace it with the stuff in the "What does auto-config include?" section of the manual: http://static.springsource.org/sprin...ns-auto-config

My recommendation would be to disable the auto-config attribute. Hope that helps!

[raja_s_patil]

I wonder how both of us have made same mistake and realized it at the same time.
its a rare coincidence. I was referring to release 3 documentation and is using
release 2 jars. How this happened ? I downloaded ver 3 and exploded it in a dir.
created shortcut to reference pdf. and started reading it. in the process of
experimenting i started searching on web for examples and first few examples were
using ver 2 so i downloaded ver 2 and copied jars to webcontents dir. the copy paste
of config and java code for examples worked fine. later i drafted my requirements
and tried to config them then the trouble/confusion started due to mismatch in manual
, jar classes and api docs. Virtually at the same time we both have realized the facts
that we are refering 3 docs and working with ver 2. Its OK since i got extra knowledge
due to lots of difficulties.

Right now i feel bit confident about authetication, my next target is access
control study, requirement drafting for the same and experimenting on that.
The next week will start with that.

Thanks for help extended and hope in near future similar help for the posts
if any.

raja