Announcement Announcement Module
No announcement yet.
Can't access custom AuthenticationProvider? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't access custom AuthenticationProvider?

    I'm using Spring Security 3 for the first time, and am having problems with the xml configuration.

    Whatever I do my custom AuthenticationProvider isn't being called.

    		<intercept-url pattern="/admin/*.zul" access="ROLE_SYS_ADMIN" />
    		<intercept-url pattern="/project/*.zul" access="ROLE_PROJECT_ADMIN" />
    		<intercept-url pattern="/**" access="ROLE_SYS_ADMIN" />
    		<anonymous username="guest" granted-authority="ROLE_GUEST" />
    		<http-basic />
    	<authentication-manager alias="authenticationManager">
    		<authentication-provider ref="BerthierAuthenticationProvider" />
    	<beans:bean id="BerthierAuthenticationProvider"
    		<beans:property name="identityDAO" ref="IdentityDAO" />
    Any ideas?

  • #2
    Does it work if you use one of the existing AuthenticationProviders? A common mistake when writing a custom AuthenticationProvider is not implementing the supports method correctly. If it never returns true the authenticate method will never be called. Take a look at an existing AuthenticationProvider (like AbstractUserDetailsAuthenticationProvider) for an example.


    • #3
      I've just managed to figure out the answer, as follows...

      	<authentication-manager alias="authenticationManager">
      		<authentication-provider user-service-ref="BerthierAuthenticationProvider" >
      		<password-encoder hash="md5"/>
      My custom authentication provider class implements both UserService and AuthenticationProvider. This works, which is enough for now.

      Though its not clear to me what the real difference is between UserService and AuthenticationProvider.


      • #4
        UserService is a subfunction of a typical AuthenticationProvider that does password based comparison. The UserService only needs to return a UserDetails which will then be used by the DaoAuthenticationProvider to compare the username / password. An AuthenticationProvider has more flexibility in that it does not require a username/password to be used.


        • #5
          Originally posted by davout View Post
          Though its not clear to me what the real difference is between UserService and AuthenticationProvider.
          UserDetailsService is a DAO which can optionally be used to load user data for authentication purposes. It only loads data and doesn't authenticate the user. You don't need one unless you are using an AuthenticationProvider (or some other component) which is configured with one.

          An AuthenticationProvider actually authenticates the user and you need at least one of these, whether or not is uses a UserDetailsService.