Geek Answers Handbook

Can I put 3 different authentication schemes in the same spring security configuration?

My requirement is to provide:

  • User password based authentication.
  • Open Authentication Based Authentication
  • Url-based authentication (it has its own sso impl we have)

in the same project.

I tried connecting Spring protection to an existing project as (was omitted to simplify the code):

<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation= "http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd"> <http auto-config="false"> <remember-me user-service-ref="rememberMeUserService" key="some custom key" /> <!-- TODO: Key made for testing reasons.... --> <intercept-url pattern='/mainApplication/Main screen.html' access="ROLE_ADMIN"/> <intercept-url pattern='/**' filters="none"/> <!-- Allow entry to login screen --> <openid-login authentication-failure-url="/Login.html?error=true" default-target-url="/mainApplication/Main screen.html" user-service-ref="openIdUserService"/> <form-login login-page="/Login.html" authentication-failure-url="/Login.html?error=true" always-use-default-target="true" default-target-url="/mainApplication/Main screen.html"/> </http> <beans:bean id="rememberMeUserService" class="mypackage.CustomUserService"> <beans:property name="usersService" ref="usersService"></beans:property> </beans:bean> <!-- Common login shared entry-point for both Form and OpenID based logins --> <beans:bean id="entryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint"> <beans:property name="loginFormUrl" value="/Login.html" /> </beans:bean> <authentication-manager alias="authenticationManager"/> <beans:bean id="MyCustomAuthenticationProvider" class="mypackage.CustomAuthenticationProvider"> <custom-authentication-provider /> <beans:property name="usersService" ref="usersService"></beans:property> </beans:bean> <beans:bean id="openIdAuthenticationProvider" class="org.springframework.security.providers.openid.OpenIDAuthenticationProvider"> <custom-authentication-provider /> <beans:property name="userDetailsService" ref="openIdUserService"/> </beans:bean> <beans:bean id="openIdUserService" class="mypackage.OpenIDUserDetailsService"> <beans:property name="usersService" ref="usersService"/> </beans:bean> <!-- Great, now i want to include SSO based sign on --> <!-- need to intercept a url of the form : /myApp/customLogin/<key> where <key> is my token key --> </beans:beans>

as mentioned above, I need to track the form URL: / myApp / customLogin / 12345, where 1235 is the token key that we originally used (to simplify the code was deleted)

 <servlet-mapping> <servlet-name>mySSOCapture</servlet-name> <url-pattern>/myApp/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>MyServlet</servlet-name> <url-pattern>/MyServlet</url-pattern> </servlet-mapping>

What should I do to enable Spring protection to help me manage this third authentication scheme?

The question arises: Can I have many authentication providers in one project? if so, how can they be matched with different functionalities (for example, one that provides authentication based on URLs, one of which provides offline authentication, etc.)?

+6
java spring spring-security configuration
source share
3 answers

Ok, here is the solution:

 <beans:bean id="mySsoFilter" class="somePackage.MySsoProcessingFilter"> <custom-filter after="CAS_PROCESSING_FILTER"/> <!-- Just a reference Point--> <beans:property name="authenticationManager" ref="authenticationManager"/> <beans:property name="defaultTargetUrl" value='/mainApplication/Main screen.html' /> <beans:property name="authenticationFailureUrl" value="/Login.html?error=true"/> </beans:bean>

Hope this helps someone need it ...

+1
source share

It is impossible to answer the question directly, but a โ€œuseful hintโ€ from the identity management sector: not all authentication systems have the same trust value. This is a serious violation of a good security design to be treated equally.

I hope this helps with your design ...

+1
source share

There are probably several ways to do this. There is some functionality that does something very similar, namely Preauthentication . This is a good example of how you can add a custom filter that authenticates the user, after which the rest of the structure should be taken over.

What is AuthenticationProvider is checking the Authentication object, which is loaded into the session using the previous filter. You can register as many authentication providers as you want with the authentication manager (which simply runs the Authentication object through all of them), but you need to configure some kind of filter that will process your authentication scheme and populate the Authentication object. If you want this filter to also interact with the user (i.e., display the login form or something else), it could interfere with other filters. In this case, you can use separate filter chains, but this does not seem to be necessary in your case.

+1
source share

More articles:


All Articles