Using other authentication services

So far we have seen just one way to implement authentication with Spring. I chose a basic authentication example like this one because it is an easy introduction to spring security, but that does not mean that you should install this technique at your company production site. You will probably be much better off storing users on an LDAP Server and using spring’s LDAP Authentication Provider to retrieve the user details. That method is described here.

As always, Spring provides us with many ways of doing things. For implementing authentication, we have quite a range of techniques. There are really two choices we have to make: how to store users and how to retrieve users.

Storing users and passwords

Here are a few options for storing users and passwords with spring.

1. In our local database
2. In a spring security configuration file, like security-context.xml (with or without password encryption)
3. On an LDAP server
4. In another location

Retrieving user information

Here are a few options for retrieving the user information with spring.

(and don’t forget to check out this official reference. Some of the examples here are from section 2.2.3)

1. The JdbcUserDetailsManager

In the previous example, without realizing it, we have used the JdbcUserDetailsManager which is the
bean behind the jdbc-user-service that we configured in security-context.xml.

<security:authentication-manager>
	<security:authentication-provider>
		<security:jdbc-user-service data-source-ref="dataSource"/>
	</security:authentication-provider>
</security:authentication-manager>

The JdbcUserDetailsManager assumes certain defaults, and queries the users table by itself, unless we specify something like this:

<jdbc-user-service data-source-ref="dataSource" 
    authorities-by-username-query="select username,authority from users where username=?"/>

2. Retrieving users from an xml file

It’s possible to just configure all the users in an xml file. So, no need for the database here! I found this code example here. Of course, the passwords are not a big secret when you know that the encryption algorithm is MD5. Anyway, this example works just like the example above except there is no database.

  <!--
    Usernames/Passwords are
        rod/koala
        dianne/emu
        scott/wombat
        peter/opal
    -->
<authentication-manager>
    <authentication-provider>
        <password-encoder hash="md5"/>
        <user-service>
            <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
            <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
            <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
            <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
	    </user-service>
	</authentication-provider>
</authentication-manager>

3. Using your own custom implementation of UserDetailsService to get users

You can also create your own custom implementation of Spring Security’s UserDetailsService to get user information. If you call this bean “myUserDetailsService” in your application context, then you can authenticate against it like this:

<authentication-manager>
    <authentication-provider user-service-ref='myUserDetailsService'/>
  </authentication-manager>

4. Use an existing implementation of UserDetailsService

There already exist several implementations of UserDetailsService so you don’t have to create your own. Among these are CachingUserDetailsService, InMemoryDaoImpl, JdbcDaoImpl, JdbcUserDetailsManager, LdapUserDetailsManager, LdapUserDetailsService, UserDetailsServiceWrapper. Here’s how to configure JdbcDaoImpl. Note it has a dependency, the dataSource which we define in another configuration file.

  <authentication-manager>
    <authentication-provider user-service-ref='myUserDetailsService'/>
  </authentication-manager>
 
  <beans:bean id="myUserDetailsService"
      class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
    <beans:property name="dataSource" ref="dataSource"/>
  </beans:bean>

5. Use an LDAP Authentication Provider

I won’t attempt to explain this. Check out this great reference here for more information about that.

0 Comments

Post a Comment

(required):