Authenticate users with SpringSecurity using a WebService that requires a username and password

Question

Currently I am writing a web application using Spring Security. We have a web service which authenticates users by username and password.

Web service:
String[] login(String username, String password);

How do I configure Spring Security to pass the provided username and password to the web service?

I have written a UserDetailsService which only receives a username.

---

I think the problem is with your xml. Did you turned off the auto-config? And does your class extend AbstractUserDetailsAuthenticationProvider?

Answer 1

Extend org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider

/**
 * @author rodrigoap
 * 
 */
public class WebServiceUserDetailsAuthenticationProvider extends
    AbstractUserDetailsAuthenticationProvider {

  @Override
  protected UserDetails retrieveUser(String username,
        UsernamePasswordAuthenticationToken authentication)
        throws AuthenticationException {
     //Improve this line:
    String password = authentication.getCredentials().toString();
    // Invoke your webservice here
    GrantedAuthority[] grantedAuth = loginWebService.login(username, password);
    // create UserDetails. Warning: User is deprecated!
    UserDetails userDetails = new User(username, password, grantedAuth);
    return userDetails;
  }

}

Answer 2

I have written to following class:

PncUserDetailsAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider

Which implements the recieveUser methode:

@Override
protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken token) throws AuthenticationException {
    try {
        server = (PncUtilRemote) new InitialContext().lookup("PncUtilBean");
        if (server != null) {
            String password = SHA1(token.getCredentials().toString());
            String[] auth = server.login(username, password);
            if (auth.length > 0) {
                PncUserDetails details = new PncUserDetails(username, password);
                for (int i = 0; i < auth.length; i++) {
                    details.addAuthority(auth[i]);
                }
                return details;
            }
        }
    } catch (Exception e) {
        System.out.println("! " + e.getClass().getName() + " in com.logica.pnc.security.PncUserDetailsAuthenticationProvider.retrieveUser(String, UsernamePasswordAuthenticationToken): " + e.getMessage());
    }
    throw new BadCredentialsException("");
}

To enable your AuthenticationProvider you need to add some lines to your application-context.xml file:

<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
    <property name="providers">
        <list><ref local="PncAuthenticationProvider" /></list>
    </property>
</bean>

<bean id="PncAuthenticationProvider" class="com.logica.pnc.security.PncUserDetailsAuthenticationProvider">
    <security:custom-authentication-provider />
</bean>

It is important that you set the auto-config to false:

<security:http auto-config="false" />

Thanks to rodrigoap for pointing to the AuthenticationProvider thingy :)