Announcement Announcement Module
Collapse
No announcement yet.
disabling default RememberMeAuthenticationProvider Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • disabling default RememberMeAuthenticationProvider

    By default RememberMeAuthenticationProvider of Spring is called for remember me authentication, how can i disable that.
    I tried by inserting property List of AuthenticationProviders, it didn't work .
    Code:
    <security:http access-decision-manager-ref="accessDecisionManager" access-denied-page="/home.htm?failed=true">
       	<security:session-management session-authentication-strategy-ref="sessionFixation" invalid-session-url="/home.htm" />
        	<security:intercept-url pattern="/myaccount_landing_page.htm" access="ROLE_CUSTOMERGROUP,ROLE_EMPLOYEEGROUP" requires-channel="https" />
        	<security:port-mappings>
        		<security:port-mapping http="9001" https="9002" />
        		<security:port-mapping http="80" https="443" />
        	</security:port-mappings>
        	<security:form-login login-page="/standardlogin.htm" authentication-success-handler-ref="authenticationSuccessHandler"  authentication-failure-handler-ref="authenticationFailureHandler" />
        	<security:logout logout-url="/j_spring_security_logout" logout-success-url="/home.htm" invalidate-session="true" />
        	<security:anonymous username="anonymous" />
        	<security:remember-me services-ref="rememberMeServices" key="88336b5bb2a1cc21bac7cf33fd451270"/>
        </security:http>
        
        <bean id="sessionFixation" class="de.hybris.platform.servicelayer.security.spring.HybrisSessionFixationProtectionStrategy"/>
        
        <security:global-method-security secured-annotations="enabled" access-decision-manager-ref="accessDecisionManager"/>
       	
       	<security:authentication-manager alias="theAuthenticationManager">
    				<security:authentication-provider ref="authenticationProvider" />
    				<security:authentication-provider ref="ecomRememeberMeAuthenticationProvider"/>
    	</security:authentication-manager>
    	
    	<bean id="authenticationSuccessHandler" class="com.entertainment.ecom.web.auth.EcomAuthenticationSuccessHandler">
    	 <constructor-arg value="/firstpage.htm"></constructor-arg>
    	</bean>
    	
    	<bean id="authenticationFailureHandler" class="com.entertainment.ecom.web.auth.EcomAuthenticationFailureHandler">
            <constructor-arg value="/home.htm?failed=true"></constructor-arg>
    	</bean>
    	
        <bean id="authenticationProvider" parent="ecomAuthenticationProvider" scope="tenant"/>
        
    	<bean id="ecomAuthenticationProvider" class="com.entertainment.ecom.web.auth.EcomAuthenticationProvider" scope="tenant" abstract="true" />
    	
    	<util:set id="authorizedGroups" value-type="java.lang.String">
    		<value>customergroup</value>
    	</util:set>
    	
        <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    		<property name="decisionVoters">
    			<list>
    				<bean id="notInitializedVoter" class="de.hybris.platform.spring.security.voter.HybrisNotInitializedVoter" />
    				<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" />
    				<bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter" />
    			</list>
    		</property>
    	</bean>
    	
    	
    	<bean id="ecomUserDetailsService" class="com.entertainment.ecom.web.auth.EcomUserDetailsService"/>
    	
    	
    	<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    	 	 <property name="authenticationManager" ref="theAuthenticationManager"/>
    	 	 <property name="filterProcessesUrl" value="/j_spring_security_check"/>
    	 	 <property name="rememberMeServices" ref="rememberMeServices"/>
    		 <property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
    		 <property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"/>
    	</bean> 
    	
    	<bean id="rememberMeFilter" class=
    		"org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
    		<property name="rememberMeServices" ref="rememberMeServices"/>
    		<property name="authenticationManager" ref="theAuthenticationManager" />
    	</bean>
    	
    	<bean id="rememberMeServices" class=
    		"org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
    		<property name="userDetailsService" ref="ecomUserDetailsService"/>
    		<property name="key" value="88336b5bb2a1cc21bac7cf33fd451270"/>
    		<property name="parameter" value="_spring_security_remember_me"/>
     	  	<property name="cookieName" value="ENTC"/>
      	    <property name="tokenValiditySeconds" value="80000"/>
    	</bean>
    	
    	<bean id="ecomRememeberMeAuthenticationProvider" parent="rememberUserAuthenticationProvider" scope="tenant" />
    	
    	<bean id="rememberUserAuthenticationProvider" class=
    		"com.entertainment.ecom.web.auth.EcomRememeberMeAuthenticationProvider" scope="tenant" abstract="true">
    		<property name="key" value="88336b5bb2a1cc21bac7cf33fd451270"/>
    	</bean>
    	
    	<bean id="myfilterChainProxy" class="org.springframework.security.web.FilterChainProxy">
         <security:filter-chain-map path-type="ant">
             <security:filter-chain pattern="/firstpage.htm" filters="authenticationFilter,rememberMeFilter"/>
         </security:filter-chain-map>
     	</bean>
    Last edited by sand_sio2; Mar 14th, 2011, 11:13 AM.

  • #2
    I'm not sure what you mean by disable RememberMeAuthenticationProvider. You can disable remember me by removing the <security:remember-me /> element. If this is not what you meant, can you please elaborate?

    Comment


    • #3
      want to call custom RememberMe authentication provider first

      if we configure
      Code:
      <security:remember-me services-ref="rememberMeServices" key="88336b5bb2a1cc21bac7cf33fd451270"/>
      Spring will try to authenticate the request with org.springframework.security.authentication.Rememb erMeAuthenticationProvider when Authentication object is of type RememberMeAuthenticationToken .

      The authentication providers in the following configuration will be called only after the default authentication provider above.
      Code:
      <security:authentication-manager alias="theAuthenticationManager">
      				<security:authentication-provider ref="authenticationProvider" />
      				<security:authentication-provider ref="ecomRememeberMeAuthenticationProvider"/>
      	</security:authentication-manager>
      But i want to use custom authentication provider without changing RememberMeservices, RememberMeAuthenticationToken, RememberMeAuthenticationFilter
      Last edited by sand_sio2; Mar 15th, 2011, 08:24 AM.

      Comment


      • #4
        If you want to customize remember me authentication, I would provide a custom RememberMeServices (that perhaps just extends one of the current implementations). This is easier to hook in using the namespace configuration and since the RememberMeServices.autoLogin method is already doing authentication it logically makes sense to do.

        If you really want a custom AuthenticationProvider instead of using a custom RememberMeServices, you can use standard bean configuration for remember me (See the source for AuthenticationConfigBuilder on what the namespace does) or a BeanPostProcessor as mentioned in the FAQ.

        Comment

        Working...
        X