Announcement Announcement Module
Collapse
No announcement yet.
Chaining Authentication Providers? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Chaining Authentication Providers?

    I recently integrated a simple web app using my client's LDAP using Acegi (very cool BTW). I still needed developer/test users so wanted to splice in an older in memory provider. What I did was place it first in the list of providers in the authenticationManager and modify the inmemory provider to simply return null if it couldn't authenticate. This worked like a charm (I now can login with fake users with spring defined roles) and as a real user. When deployed to production the inmemory 'hack' will be pulled out.

    My question is : is this a valid way to do this or is some other approach preferable? It seems OK to me but I was uncomfortable having the authenticator return null (essentially falling through to the next provider in the chain).


    Something like:
    Code:
      <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
        <property name="providers">
          <list>
            <ref bean="testAuthenticationProvider"/> <!-- FIXME&#58; remove prior to deploy -->
            <ref bean="authenticationProvider"/>
          </list>
        </property>
      </bean>
    I then wrote a simple inmemory provider which extended the Acegi InMemoryDaoImpl that basically did the following:
    Code:
     public Authentication authenticate&#40;Authentication authentication&#41; throws AuthenticationException
      &#123;
        String username = authentication.getPrincipal&#40;&#41;.toString&#40;&#41;;
        UserDetails details = null;
        try
        &#123;
          details = loadUserByUsername&#40;username&#41;;
        &#125;
        catch &#40;Exception e&#41;
        &#123;
          // ignore
        &#125;
        if &#40;details != null&#41;
        &#123;
          return new UsernamePasswordAuthenticationToken&#40;
            authentication.getPrincipal&#40;&#41;,
            authentication.getCredentials&#40;&#41;,
            details.getAuthorities&#40;&#41;&#41;;
        &#125;
        return null;
      &#125;
    And wired it as:
    Code:
      <bean id="testAuthenticationProvider" class="some.package.InMemoryAuthenticationProvider">
          <property name="userMap">
             <value>
               admin=password,ROLE_1,ROLE_2,ROLE_3
               testuser1=password,ROLE_3
             </value>
          </property>
      </bean>

  • #2
    Whilst your approach works, I'd probably do it differently. You can read my response to a similar question at http://forum.springframework.org/showthread.php?t=12191.

    One thing to note, though, is my approach is only suitable if both AuthenticationDaos are called by the same AuthenticationProvider. If mixing LDAP and in-memory, you need DaoAuthentication and PasswordDaoAuthenticationProvider. This means your approach is the only one that would work.
    Last edited by robyn; May 19th, 2006, 06:40 AM.

    Comment

    Working...
    X