Announcement Announcement Module
No announcement yet.
Step-up authentication with Spring Security Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Step-up authentication with Spring Security

    Has anyone implemented step-up authentication using Spring Security?

    Have googled around a bit, but havent seen anything relevant. Wondering if someone has done it and can share their experience. Alternatively, if someone from the spring team can chime in on how best to implement it..

    Looking at the documentation, it looks like the underlying plumbing is there - but will need some work to make it work:

    Am thinking we will need to do the following:
    * associate resources with levels via configuration
    * associate authentication providers with levels via configuration. (how do we take this information and inject the authentication level into the resulting Authentication instances - without going in and changing every AuthenticationProvider?)
    * add a new AccessDecisionVoter (e.g. AuthnLevelVoter) - that checks the current authentication level and the level needed for accessing this resource.
    * subclass the InsufficientAuthenticationException to pass on the information on minimum expected level
    * subclass the AbstractAccessDecisionManager to ensure that the vote evaluation strategy factors in the new Voter, and throws an instance of the above exception.
    * add a new AuthenticationEntryPoint (subclass as appropriate) that looks at the incoming exception, determines valid authentication-providers and generates an appropriate response that will help capture the credentials for these providers.

    Last edited by mohankishore; Feb 9th, 2012, 05:31 PM.