Announcement Announcement Module
No announcement yet.
Dynamic authentication configuration Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Dynamic authentication configuration

    I have a requirement to authenticate from LDAP and database. The caveat is depending on a database flag, the authentication may fall into one of the following 3 categories:
    1. Only LDAP.
    2. Only database.
    3. LDAP and database.
    Can anyone suggest a configuration that can handle this? I can have 2 authentication providers for case 3 but how do I skip one for case 1 or 2? I am using Spring Security 3.0.3.
    All comments are appreciated.
    Last edited by asarkar; Aug 4th, 2010, 06:34 PM. Reason: Added information about Spring Security version

  • #2
    May be i got your requirement wrong, but i guess you might be already doing this..

            <!-- DB Provider -->
            <authentication-provider ref="dbAuthProvider"/>
            <!-- LDAP Provider -->
            <authentication-provider ref="ldapAuthProvider"/>
    This polls both DB and LDAP one by one and the authentication info might be at any one.


    • #3
      The requirement is to use a DB provider and/or a LDAP provider. As you have shown, I can certainly use both but how do I skip one, if needed (cases 1 and 2 in OP)?


      • #4
        That's my point, why you want to skip one, let the spring security check on first and if it fails, let it check second. I understand it has a bit performance overhead but considering login is just one time activity per session, it shouldnt be that big a deal..


        • #5
          Originally posted by kedi View Post
          Why you want to skip one, let the spring security check on first and if it fails, let it check second.
          The user could be present in both places! Ours is a legacy system and login information is in process of being migrated from DB to LDAP. For users who are already migrated to LDAP, we need to use LDAP authentication. Note that those users would also be present in the DB. And then there are some users that are not yet migrated. They can only be authenticated against DB.
          Thinking about it, can I stop the 2nd provider from processing if the user is successfully authenticated by the first provider itself? If yes, I can probably setup LDAP as the first provider.


          • #6
            Okay, got your point. In that case, i am not very sure if spring security would skip the second provider if 1st authenticates successfully. But the javadoc of ProviderManager states :

            AuthenticationProviders are usually tried in order until one provides a non-null response. A non-null response indicates the provider had authority to decide on the authentication request and no further providers are tried. If a subsequent provider successfully authenticates the request, the earlier authentication exception is disregarded and the successful authentication will be used.

            from :

            so you should be fine. Else last resort may be writing your custom AuthenticationManager.