Announcement Announcement Module
Collapse
No announcement yet.
Multiple ProviderManagers ignoring custom AuthenticationProvider Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple ProviderManagers ignoring custom AuthenticationProvider

    I have a custom AuthenticationProvider (basically a POJO-based DAO UserDetailsService) that handles loading users from the Postgres DB. I've tried to configure Spring Security 3 to use this custom AuthenticationProvider and I simply cannot get it to use my custom provider.

    I set a breakpoint on the "getProviders" method of ProviderManager and it is throwing an exception saying I don't have any AuthenticationProviders configured. This is hooey. I've tried configuring the ProviderManager using the namespace handler and using a straight bean configuration, using the special bean id of "org.springframework.security.authenticationManage r". In the debugger, the ProviderManager it's looking at is NOT the one I configured in my application context. If a ProviderManager has a parent set, why doesn't it bounce the call to getProviders up the chain? I can see that this other ProviderManager (that I didn't configure and appears to be created magically) is being configured with the ProviderManager I DID configure as the parent, but that doesn't make any difference because it's not using it to find the provider to use.

    What am I doing wrong here? This seems like it should be a simple thing. All the messages on this forum that relate to a problem like this simply direct people to the documentation (which I've read 3 times), so I guess I'm the only one using a custom AuthenticationProvider and Spring 3 and having trouble getting it working?

    I've tried configuring using beans like (authProvider is a bean that extends AbstractUserDetailsAuthenticationProvider):

    Code:
      <bean id="org.springframework.security.authenticationManager"
            class="org.springframework.security.authentication.ProviderManager">
        <property name="providers">
          <list>
            <ref bean="authProvider"/>
          </list>
        </property>
      </bean>
    and:

    Code:
      <security:authentication-manager>
        <security:authentication-provider ref="authProvider"/>
      </security:authentication-manager>
    Both configurations result in the exception:

    Code:
    java.lang.IllegalArgumentException: A list of AuthenticationProviders is required
    	at org.springframework.security.authentication.ProviderManager.getProviders(ProviderManager.java:182)
    	at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:113)
    	at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:49)
    	at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:98)
    	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
    	etc...
    Please help!

  • #2
    Could be a bug. Please post a test case to Jira with your full configuration.

    Comment


    • #3
      I'm guessing you are using an <http> block in your configuration and have disabled anonymous authentication (i.e. you have <anonymous enabled='false' />) ? If so, then it is a bug.

      https://jira.springsource.org/browse/SEC-1317

      Comment


      • #4
        Originally posted by Luke Taylor View Post
        I'm guessing you are using an <http> block in your configuration and have disabled anonymous authentication (i.e. you have <anonymous enabled='false' />) ? If so, then it is a bug.
        Right on the money.

        So how do I work around this issue in the meantime? Is there a way I can "simulate" having anonymous authentication turned off? Do I need to throw an exception or something in my custom decision manager if I see anonymous logged in?

        Thanks for the help.

        UPDATE: I added code to my custom AccessDecisionManager to throw an InsufficientAuthenticationException if ROLE_ANONYMOUS is detected in the GrantedAuthoritys. This is not ideal, but forces a login prompt at least, and is basically what I wanted with <security:anonymous enabled='false'/>.
        Last edited by J. Brisbin; Dec 7th, 2009, 02:12 PM.

        Comment

        Working...
        X