Announcement Announcement Module
No announcement yet.
Spring Security - local and remote authentication Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security - local and remote authentication

    Hi I'm using spring security to secure a Web application using role based security and a user details service where the users are stored in a db.

    All ok so far - however I need now to authenticate on a remote system as well via a web service call.

    So user logs into Web app, gives user name and password - auth passes locally - then the same details need to be sent over a web service call to authenticate against a remove system.

    Is there any way I can put this web service call into the spring security call stack?

    so a use-case is - you have a user account locally(within the webapp) and its valid - but your Company level access has been revoked(discovered by webservice call)

    Any help would be appreciated - even just a steer in the right direction !

  • #2
    Sounds like something that would be better achieved with an SSO system where the account status is controlled in a single place.

    Also, in your description, why do you need to authenticate as the user to the web service? This sounds more like a check by the app as to whether a user is allowed to authenticate, rather than something that should be done as the user themselves.


    • #3
      Hi Luke, An SSO solution would fit better but Im not able to push that kind of thing and have to make do with what's exposed to me.

      To make it a little more clear
      heres the flow

      1. user provides - username and password via login page to Spring Security
      2. The UserDetails service retrieves the locally stored username and password
      3. The UserDetails service returns them spring security
      4. Spring security checks the roles and permissions
      5. A web service call is made with the username and password to check that the user is still "ok" within the company - the web service will return
      user expired, account locked, password expired...
      6. if both spring sec and the ws call are ok we let the user login

      step 5 could happen after step 1?

      bear in mind Im a spring security noob !



      • #4
        Again, I can't see any reason for duplicating the same password information within the application and the company as a whole. How are they kept in sync? Why not just use the web service as the actual authentication mechanism, so that a user can't log in at all if they aren't supposed to?


        • #5
          Hi Luke, yes we are not disagreeing there is a synch issue and also ultimately we wont be storing the password locally - just the role based information.

          I could change the user details service to call the web service - how do I get the password to send onto the webservice?

          loadUserByUsername(String username){

          //call webservice & catch authentication exception
          authicateWS(username, password)
          // create user details object with role details retrieved from the db
          ud = new UserDetails();

          ud.setAccountNonExpired(“from webservice”);
          ud.setAccountNonLocked(“from webservice);
          ud.setCredentialsNonExpired(“from webservice”);
          ud.setEnabled(“from webservice”);
          ud.setPassword(“from webservice”);

          return ud;



          • #6
            Implement AuthenticationProvider directly, rather than UserDetailService and call the authentication service from there.