Announcement Announcement Module
Collapse
No announcement yet.
Second Authentication Provider not getting invoked Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Second Authentication Provider not getting invoked

    I have 2 authentication providers. One is LDAP to verify password. If that is successful, I want it to go through another verification process against our local database. If that fails, I don't want the login to succeed. The LDAP side works, but the second authentication never gets executed. Why is that?

    If I take the <authentication-provider user-service-ref="userService" /> line and put it as the first entry above ldap-authentication provider, then I can see that it executes my service, but even though I explicitly throw a UserNameNotFoundException, it goes ahead to the second step which is ldap validation. If that succeeds, then it allows the user to go through.

    So either way I am stuck. I am unable to use a combination of ldap authentication and local customized authentication logic.

    These are my files:

    -- applicationcontext-security.xml --
    <global-method-security pre-post-annotations="enabled"/>
    <ldap-server id="ldap_server" url="ldap://......." manager-
    dn="${ldap.userDn}"
    manager-password="${ldap.password}"/>

    <authentication-manager>
    <ldap-authentication-provider group-search-filter="(member={0})" server-ref="ldap_server" user-search-base="DC=smrcy,DC=com" group-search-base="OU=Applications,OU=Resource,OU=MercyGroups,D C=smrcy,DC=com" user-search-filter="(&amp;(sAMAccountName={0})(objectclass=use r))"
    group-role-attribute="cn"
    role-prefix="ROLE_">
    </ldap-authentication-provider>
    <authentication-provider user-service-ref="userService" />
    </authentication-manager>

    <http auto-config="true" use-expressions="true" >
    <intercept-url pattern="/login" access="hasRole('ROLE_ANONYMOUS')" />
    <intercept-url pattern="/**" access="isAuthenticated()"/>
    <form-login login-processing-url="/j_spring_security_check" login-page="/login" default-target-url="/mainMenu" authentication-failure-url="/login?login_error=1"/>
    <logout logout-success-url="/login?loggedout=true"/>
    </http>

    -- UserService.java --
    @Service(("userService"))
    public class UserService implements UserDetailsService {
    @Autowired
    private UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String userId)
    throws UsernameNotFoundException, DataAccessException {
    Authentication authentication = getUser();
    if (authentication != null) {
    User user = userRepository.findByUserId(userId);
    if (user != null) {
    user.setAuthentication(authentication);
    return user;
    } else {
    throw new UsernameNotFoundException("Invalid login credintials");
    }
    }
    throw new UsernameNotFoundException("Invalid login credintials");
    }


    -- User.java --
    @Entity
    public class User extends AbstractEntity implements UserDetails {
    ...
    }

  • #2
    From the Javadoc for ProviderManager (the default AuthenticationManager implementation) -

    AuthenticationProviders are usually tried in order until one provides a non-null response. A non-null response indicates the provider had authority to decide on the authentication request and no further providers are tried. If a subsequent provider successfully authenticates the request, the earlier authentication exception is disregarded and the successful authentication will be used.
    It sounds like you may want to either create a custom AuthenticationManager, or modify the default behavior of LdapAuthenticationProvider through subclassing.

    Hope that helps!

    Comment

    Working...
    X