Avoiding multiple logins from custom authenticationProvider to Third-Party-SOA

Hello Cowboys from the Java-Ranch,

i am realy new here and i hope you can give me some tips and advices. At the moment i develop a new webapplication with spring mvc and spring security. One requirement is to authenticat the user against a third-party solution. The logic for a login against this solution is ready for use. Now i want spring security to handle the user. But at the moment spring connect to the third-party-soa for every request. This makes no sense for me. Is this behavior normal? Does spring security connects to a database every time for every request?

Greetings from Berlin, Germany

Here is my code:
I implement a custom AuthenticationProvider
public class TeamcenterUserAuthenticationProvider implements AuthenticationProvider{ private UserServiceTeamcenter userServiceTeamcenter; @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) authentication; String name = token.getName(); String password = (String)token.getCredentials(); User user = userServiceTeamcenter.getUserByLogin(name, password); System.out.println(name + " " + password); if(user == null){ throw new UsernameNotFoundException("Invalid username/password"); } List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER"); return new UsernamePasswordAuthenticationToken(user, password, authorities); } @Override public boolean supports(Class<?> authentication) { return UsernamePasswordAuthenticationToken .class.equals(authentication); } public void setUserServiceTeamcenter(UserServiceTeamcenter userServiceTeamcenter) { this.userServiceTeamcenter = userServiceTeamcenter; }

The security.xml:
<security:http use-expressions="true"> <security:intercept-url pattern="/img/**" access="permitAll"/> <security:intercept-url pattern="/scripts/**" access="permitAll"/> <security:intercept-url pattern="/styles/**" access="permitAll"/> <security:intercept-url pattern="/index.html" access="permitAll"/> <security:intercept-url pattern="/webservice/**" access="hasRole('ROLE_USER')"/> <security:intercept-url pattern="/views/#" access="hasRole('ROLE_USER')"/> <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/> <security:http-basic/> </security:http> <security:authentication-manager> <security:authentication-provider ref="teamcenterUserAuthenticationProviderBean"> </security:authentication-provider> </security:authentication-manager> <bean id="teamcenterUserAuthenticationProviderBean" class="org.inmediasp.pdm.web.authentication.TeamcenterUserAuthenticationProvider"> <property name="userServiceTeamcenter"> <ref local="userServiceTeamcenterBean"/> </property> </bean>

Well, I think, based on the code you posted. I think that you really wanted to implement a UserDetailsService, not a custom AuthenticationProvider.

The distinction is small. Basically, you just want to change where the data is looked up for a user. That is the responsibility of a UserDetailsService. It is called by an AuthenticationProvider, but only once when you login. Unless you don't have sessions, and your HTTP is stateless, then credentials do need to be sent and looked up each time.

Hope that helps and works for you.

Mark

Hi Mark,

thanks for the tip. Now i have a custom UserDetailsService, but i have some problems with this approach. Perhaps you can help me out again .
I have two questions:
1: is it only possible to get the username in "public UserDetails loadUserByUsername(String username)"? As you can see in my code, i need the password to. For testcases i have a user who has the same value for the username and the password.
2: I think i have i misstake in my logic. Because for every request the login-window appears. [EDIT]: Now it works...

Thanks a lot and i wish you a good weekend

Here is my code:
<security:http use-expressions="true"> <security:intercept-url pattern="/img/**" access="permitAll"/> <security:intercept-url pattern="/scripts/**" access="permitAll"/> <security:intercept-url pattern="/styles/**" access="permitAll"/> <security:intercept-url pattern="/index.html" access="permitAll"/> <security:intercept-url pattern="/webservice/**" access="hasRole('ROLE_USER')"/> <security:intercept-url pattern="/views/#" access="hasRole('ROLE_USER')"/> <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/> <security:http-basic/> </security:http> <security:authentication-manager> <security:authentication-provider user-service-ref="teamcenterUserDetailsServiceBean"> </security:authentication-provider> </security:authentication-manager> <bean id="teamcenterUserDetailsServiceBean" class="org.inmediasp.pdm.web.security.TeamcenterUserDetailsService"> <property name="userServiceTeamcenter"> <ref local="userServiceTeamcenterBean"/> </property> </bean>

TeamcenterUserDetailsService.java
public class TeamcenterUserDetailsService implements UserDetailsService { private UserServiceTeamcenter userServiceTeamcenter; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { if(StringUtils.isBlank(username)){ throw new UsernameNotFoundException("Username was empty"); } User user = userServiceTeamcenter.getUserByLogin(username, username); if(user == null){ throw new UsernameNotFoundException("Username not found"); } List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER"); return new TeamcenterUserDetails(user, authorities); //To change body of implemented methods use File | Settings | File Templates. } public void setUserServiceTeamcenter(UserServiceTeamcenter userServiceTeamcenter) { this.userServiceTeamcenter = userServiceTeamcenter; } }
TeamcenterUserDetails.java
public final class TeamcenterUserDetails implements UserDetails { private User user; private List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); public TeamcenterUserDetails(User user) { this.user = user; } public TeamcenterUserDetails(User user, List<GrantedAuthority> authorities) { this.user = user; this.authorities = authorities; } @Override public Collection<? extends GrantedAuthority> getAuthorities() { return authorities; } @Override public String getPassword() { return user.getPassword(); } @Override public String getUsername() { return user.getUser_id(); } @Override public boolean isAccountNonExpired() { return true; } @Override public boolean isAccountNonLocked() { return true; } @Override public boolean isCredentialsNonExpired() { return true; } @Override public boolean isEnabled() { return true; } private static final long serialVersionUID = 3384436451564509032L; }

User user = userServiceTeamcenter.getUserByLogin(username, username);

That won't work in the real world.

Why is the username and password always the same for every user of the system.

OK. The purpose of a UserDetailsService is strictly to load user data, nothing to do with password, that is why password is not passed in to loadUserByUserName(String userName) method.

Typically this method and a UserDetailsService just does a query against the back end data store. In your case your userServiceTeamcenter method requires a password, so it isn't the correct class and method to call. If you don't have a class with a correct api, then you can query a different way.

For instance Jdbc with SQL queries.

There are built in UserDetailsService like JdbcDaoImpl which is the Jdbc with SQL queries class.

Mark

Hi Mark,

Mark Spritzler wrote:User user = userServiceTeamcenter.getUserByLogin(username, username);

That won't work in the real world.

Why is the username and password always the same for every user of the system.

i know . This was just testcode. I would never implement this in production because this make no sense. But i wantet to test my "Request and Login"-Problem. This is solved and now i can concentrate on the UserDetailsService. At the moment i have no idea how to implement a correct Authentication-Mechanism with my third-party-soa. It is absolute necessary to call the login method from TeamcenterUserService (my Connector to the Third-Party-Soa) with password and username. If the login is correct i get a user who is != null. Perhaps the first sunny day since 30 Days in Berlin give me the right inspiration.

Micha

I think i have a solution so far. I implement my own UserDetailsAuthenticationProvider by extending the AbstractUserDetailsAuthenticationProvider.

This is my code:

TeamcenterUserDetailsAuthenticationProvider

public class TeamcenterUserDetailsAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider { private UserServiceTeamcenter userServiceTeamcenter; @Override protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) throws AuthenticationException { } @Override protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) throws AuthenticationException { String password = usernamePasswordAuthenticationToken.getCredentials().toString(); if(StringUtils.isBlank(username)){ throw new UsernameNotFoundException("Username was empty"); } User user = userServiceTeamcenter.getUserByLogin(username, password); if(user == null){ throw new UsernameNotFoundException("Username not found"); } List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER"); return new TeamcenterUserDetails(user, authorities); } public void setUserServiceTeamcenter(UserServiceTeamcenter userServiceTeamcenter) { this.userServiceTeamcenter = userServiceTeamcenter; } }

TeamcenterUserDetails
public final class TeamcenterUserDetails extends User implements UserDetails { private User user; private List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); public TeamcenterUserDetails(User user) { this.user = user; } public TeamcenterUserDetails(User user, List<GrantedAuthority> authorities) { this.user = user; this.authorities = authorities; } public User getUser() { return user; } @Override public Collection<? extends GrantedAuthority> getAuthorities() { return authorities; } @Override public String getPassword() { return user.getPassword(); } @Override public String getUsername() { return user.getUser_id(); } @Override public boolean isAccountNonExpired() { return true; } @Override public boolean isAccountNonLocked() { return true; } @Override public boolean isCredentialsNonExpired() { return true; } @Override public boolean isEnabled() { return true; } private static final long serialVersionUID = 3384436451564509032L; }

Security.xml
<security:http use-expressions="true"> <security:intercept-url pattern="/img/**" access="permitAll"/> <security:intercept-url pattern="/scripts/**" access="permitAll"/> <security:intercept-url pattern="/styles/**" access="permitAll"/> <security:intercept-url pattern="/index.html" access="permitAll"/> <security:intercept-url pattern="/webservice/**" access="hasRole('ROLE_USER')"/> <security:intercept-url pattern="/views/#" access="hasRole('ROLE_USER')"/> <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/> <security:http-basic/> </security:http> <security:authentication-manager> <security:authentication-provider ref="teamcenterUserDetailsAuthenticationProviderBean"> </security:authentication-provider> </security:authentication-manager> <bean id="teamcenterUserDetailsAuthenticationProviderBean" class="org.inmediasp.pdm.web.security.TeamcenterUserDetailsAuthenticationProvider"> <property name="userServiceTeamcenter"> <ref local="userServiceTeamcenterBean"/> </property> </bean>

Cool. Yeah if you need to have password to do some lookup. You won't get it into UserDetailsService. Because its responsibility is just querying the data store for the data that someone class else will do the password comparison.

Mark