Using both LDAP and DB authentication with Spring Security

Question

I have an application that is used by two sets of users-internal users for the the company and external customers. I have to perform authentication for both sets of users.The application is to be built using Spring Security. For internal user, LDAP AD authentication needs to done.And for external users, authentication is to be done from database. I am stuck here.

How can I use both types of authentication? The users can be differentiated based on their email IDs - for example, internal users will all have an email id ending with @company.com.

1. In spring security configuration, can it done like this?-

   <authentication-manager>
           <authentication-provider>
               <ldap-authentication-provider....>
               <db-authentication-provider......>  
           </authentication-provider>
   <authentication-manager>
   

2. Then should I write a filter (that comes before spring security's filter) that selects users based on their login email IDs and directs them to the correct authentication manager? Is this redirection possible to be done here?

I am new to this.Thanks in advance.

Answer 1

I had asked this question long back. I had got this implemented after pulling together resources. Over time, I had forgotten about this thread. Strange how time flies!! In any case, just came back to share the answer to this. One way to implement this solution is by using multiple authentication providers

Since the original question is using XML based configuration, I will continue with that. (I myself use Java based config now. Will try to add the java based solution in here later).

So first add the following in the security.xml - the main config file for spring security.

<authentication-manager>            
    <authentication-provider ref="customJdbcAuthProvider" />
    <authentication-provider ref="customLdapAuthProvider" />            
</authentication-manager>

Next 2 beans will need to added to the security.xml which will implement the backing functionality.

Entries in security.xml:

<bean:bean id="customJdbcAuthProvider" class="com.springapp.myapp.setup.CustomJdbcAuthProvider" />
<bean:bean id="customLdapAuthProvider" class="com.springapp.myapp.setup.CustomLdapAuthProvider" />

And finally the Beans themselves. The Bean should implement the org.springframework.security.authentication.AuthenticationProvider interface.

public class CustomJdbcAuthProvider implements AuthenticationProvider {
@Override
    public Authentication authenticate(Authentication authObj)
            throws AuthenticationException {    

            // code snippet to authenticate against DB
            }

            }
}

And the corresponding bean to handle Ldap authentication. I had used extended the org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider interface for this bean. Spring provides other API implementations as well.

public class CustomActiveDirectoryLdapAuthenticationProvider extends AbstractLdapAuthenticationProvider {
  // code snippet to authenticate and authorize against company or local LDAP or Active Directory.
}

That should do the trick and have you running!! Please let me know if you need further details.

Answer 2

I did something very similar. I have a company LDAP server and a local in-memory db for testing. I described my solution to someone else here. The tricky part was the UserDetailsService because since I have a stateless application, I have to figure out which one to use when I don't know which authentication provider was used for authenticating. I wrote some custom stuff to handle that.