File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Spring and the fly likes Avoiding multiple logins from custom authenticationProvider to Third-Party-SOA Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Avoiding multiple logins from custom authenticationProvider to Third-Party-SOA" Watch "Avoiding multiple logins from custom authenticationProvider to Third-Party-SOA" New topic
Author

Avoiding multiple logins from custom authenticationProvider to Third-Party-SOA

Mischa Zedding
Greenhorn

Joined: Feb 28, 2013
Posts: 4
Hello Cowboys from the Java-Ranch,

i am realy new here and i hope you can give me some tips and advices. At the moment i develop a new webapplication with spring mvc and spring security. One requirement is to authenticat the user against a third-party solution. The logic for a login against this solution is ready for use. Now i want spring security to handle the user. But at the moment spring connect to the third-party-soa for every request. This makes no sense for me. Is this behavior normal? Does spring security connects to a database every time for every request?

Greetings from Berlin, Germany

Here is my code:
I implement a custom AuthenticationProvider


The security.xml:
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17249
    
    6

Well, I think, based on the code you posted. I think that you really wanted to implement a UserDetailsService, not a custom AuthenticationProvider.

The distinction is small. Basically, you just want to change where the data is looked up for a user. That is the responsibility of a UserDetailsService. It is called by an AuthenticationProvider, but only once when you login. Unless you don't have sessions, and your HTTP is stateless, then credentials do need to be sent and looked up each time.

Hope that helps and works for you.

Mark


Perfect World Programming, LLC - Two Laptop Bag - Tube Organizer
How to Ask Questions the Smart Way FAQ
Mischa Zedding
Greenhorn

Joined: Feb 28, 2013
Posts: 4
Hi Mark,

thanks for the tip. Now i have a custom UserDetailsService, but i have some problems with this approach. Perhaps you can help me out again .
I have two questions:
1: is it only possible to get the username in "public UserDetails loadUserByUsername(String username)"? As you can see in my code, i need the password to. For testcases i have a user who has the same value for the username and the password.
2: I think i have i misstake in my logic. Because for every request the login-window appears. [EDIT]: Now it works...

Thanks a lot and i wish you a good weekend

Here is my code:


TeamcenterUserDetailsService.java

TeamcenterUserDetails.java

Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17249
    
    6

User user = userServiceTeamcenter.getUserByLogin(username, username);

That won't work in the real world.

Why is the username and password always the same for every user of the system.

OK. The purpose of a UserDetailsService is strictly to load user data, nothing to do with password, that is why password is not passed in to loadUserByUserName(String userName) method.

Typically this method and a UserDetailsService just does a query against the back end data store. In your case your userServiceTeamcenter method requires a password, so it isn't the correct class and method to call. If you don't have a class with a correct api, then you can query a different way.

For instance Jdbc with SQL queries.

There are built in UserDetailsService like JdbcDaoImpl which is the Jdbc with SQL queries class.

Mark
Mischa Zedding
Greenhorn

Joined: Feb 28, 2013
Posts: 4
Hi Mark,

Mark Spritzler wrote:User user = userServiceTeamcenter.getUserByLogin(username, username);

That won't work in the real world.

Why is the username and password always the same for every user of the system.



i know . This was just testcode. I would never implement this in production because this make no sense. But i wantet to test my "Request and Login"-Problem. This is solved and now i can concentrate on the UserDetailsService. At the moment i have no idea how to implement a correct Authentication-Mechanism with my third-party-soa. It is absolute necessary to call the login method from TeamcenterUserService (my Connector to the Third-Party-Soa) with password and username. If the login is correct i get a user who is != null. Perhaps the first sunny day since 30 Days in Berlin give me the right inspiration.

Micha
Mischa Zedding
Greenhorn

Joined: Feb 28, 2013
Posts: 4
I think i have a solution so far. I implement my own UserDetailsAuthenticationProvider by extending the AbstractUserDetailsAuthenticationProvider.

This is my code:

TeamcenterUserDetailsAuthenticationProvider



TeamcenterUserDetails


Security.xml
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17249
    
    6

Cool. Yeah if you need to have password to do some lookup. You won't get it into UserDetailsService. Because its responsibility is just querying the data store for the data that someone class else will do the password comparison.

Mark
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Avoiding multiple logins from custom authenticationProvider to Third-Party-SOA
 
Similar Threads
HTTP Status 404 - /j_spring_security_check
Exception while running the Spring example
nullpointer with @Autowired AuthenticationManager
Can we have multiple login forms in spring security?
Does Spring Web Flow 2 have role based authorization to execute flow feature?