Dynamic authentication configuration

**asarkar** · Aug 4th, 2010, 06:30 PM

I have a requirement to authenticate from LDAP and database. The caveat is depending on a database flag, the authentication may fall into one of the following 3 categories:

Only LDAP.
Only database.
LDAP and database.

Can anyone suggest a configuration that can handle this? I can have 2 authentication providers for case 3 but how do I skip one for case 1 or 2? I am using Spring Security 3.0.3.
All comments are appreciated.

**kedi** · Aug 4th, 2010, 06:52 PM

May be i got your requirement wrong, but i guess you might be already doing this..

Code:

    <authentication-manager>
        <!-- DB Provider -->
        <authentication-provider ref="dbAuthProvider"/>
        <!-- LDAP Provider -->
        <authentication-provider ref="ldapAuthProvider"/>
    </authentication-manager>

This polls both DB and LDAP one by one and the authentication info might be at any one.

**asarkar** · Aug 4th, 2010, 07:03 PM

Kedi,
The requirement is to use a DB provider and/or a LDAP provider. As you have shown, I can certainly use both but how do I skip one, if needed (cases 1 and 2 in OP)?

**kedi** · Aug 4th, 2010, 07:09 PM

That's my point, why you want to skip one, let the spring security check on first and if it fails, let it check second. I understand it has a bit performance overhead but considering login is just one time activity per session, it shouldnt be that big a deal..

**asarkar** · Aug 4th, 2010, 07:23 PM

Originally Posted by kedi

Why you want to skip one, let the spring security check on first and if it fails, let it check second.

The user could be present in both places! Ours is a legacy system and login information is in process of being migrated from DB to LDAP. For users who are already migrated to LDAP, we need to use LDAP authentication. Note that those users would also be present in the DB. And then there are some users that are not yet migrated. They can only be authenticated against DB.
Thinking about it, can I stop the 2nd provider from processing if the user is successfully authenticated by the first provider itself? If yes, I can probably setup LDAP as the first provider.

**kedi** · Aug 4th, 2010, 07:46 PM

Okay, got your point. In that case, i am not very sure if spring security would skip the second provider if 1st authenticates successfully. But the javadoc of ProviderManager states :

AuthenticationProviders are usually tried in order until one provides a non-null response. A non-null response indicates the provider had authority to decide on the authentication request and no further providers are tried. If a subsequent provider successfully authenticates the request, the earlier authentication exception is disregarded and the successful authentication will be used.

from : http://static.springsource.org/sprin...erManager.html

so you should be fine. Else last resort may be writing your custom AuthenticationManager.

Thread: Dynamic authentication configuration

Thread Tools

Display

Dynamic authentication configuration

Posting Permissions