Grails › Grails - user

Grails Spring-Core-Security: Adding ACCOUNT field for authentication

Classic

List

Threaded

4 messages Options

Frik

Grails Spring-Core-Security: Adding ACCOUNT field for authentication

Hi,

For our needs, we have 3 fields required to authenticate a user:
- account number
- username
- password

This allow accounts to create usernames that potentially might be the same in another account. However, this is not a problem as they are unique by account:username and working great in Grails.

The challenge is with the Spring-Core-Security plugin that only authenticates with username and password. I have done a lot of reading and tried to make it work. Here are some of the things I tried:
- SpringSecurityUtils.clientRegisterFilter
- AuthenticationProvider

What is the right way to accomplish this?

Thanks in advance,
Frik

burtbeckwith

Re: Grails Spring-Core-Security: Adding ACCOUNT field for authentication

Ordinarily customizing how users login is best solved with a custom UserDetailsService (section "11 Custom UserDetailsService" in the docs) but that won't work if you need to capture extra information when logging in.

I'd go with a subclass of UsernamePasswordAuthenticationFilter to capture the extra parameter and store it in a subclass of UsernamePasswordAuthenticationToken that has a field for the extra parameter. Then implement a custom AuthenticationProvider that uses all three to login.

You could subclass DaoAuthenticationProvider but it might be cleaner to merge that logic with your UserDetailsService code since it's partitioned in Spring Security for flexibility but you don't need that in your app.

Note that the plugin subclasses UsernamePasswordAuthenticationFilter with RequestHolderAuthenticationFilter so you need to extend that.

Redefine the 'authenticationProcessingFilter' bean in resources.groovy with your RequestHolderAuthenticationFilter subclass and redefine the 'daoAuthenticationProvider' bean with your AuthenticationProvider implementation.

Burt

>
> Hi,
>
> For our needs, we have 3 fields required to authenticate a user:
> - account number
> - username
> - password
>
> This allow accounts to create usernames that potentially might be the same
> in another account. However, this is not a problem as they are unique by
> account:username and working great in Grails.
>
> The challenge is with the Spring-Core-Security plugin that only
> authenticates with username and password. I have done a lot of reading and
> tried to make it work. Here are some of the things I tried:
> - SpringSecurityUtils.clientRegisterFilter
> - AuthenticationProvider
>
> What is the right way to accomplish this?
>
> Thanks in advance,
> Frik
>

signature.asc (205 bytes) Download Attachment

Frik

Re: Grails Spring-Core-Security: Adding ACCOUNT field for authentication

Burt,

Thanks for all the details. I believe that I have everything working now except that I am not sure how to create the UserDetails object once the user is authenticated. I don't need a special UserDetails object after authentication, so the standard way of creating it is good. However, I am not sure how to do that.

The only method I see is protected:

protected UserDetails createUserDetails(user, Collection<GrantedAuthority> authorities) {

What is the best way to create the UserDetails object? I assume that I do not need to implement a custom UserDetailsService or custom UserDetails since I don't need anything special stored in it.

Thanks again,

Frik

On Nov 4, 2010, at 4:45 PM, burtbeckwith [via Grails] wrote:

Ordinarily customizing how users login is best solved with a custom UserDetailsService (section "11 Custom UserDetailsService" in the docs) but that won't work if you need to capture extra information when logging in.

I'd go with a subclass of UsernamePasswordAuthenticationFilter to capture the extra parameter and store it in a subclass of UsernamePasswordAuthenticationToken that has a field for the extra parameter. Then implement a custom AuthenticationProvider that uses all three to login.

You could subclass DaoAuthenticationProvider but it might be cleaner to merge that logic with your UserDetailsService code since it's partitioned in Spring Security for flexibility but you don't need that in your app.

Note that the plugin subclasses UsernamePasswordAuthenticationFilter with RequestHolderAuthenticationFilter so you need to extend that.

Redefine the 'authenticationProcessingFilter' bean in resources.groovy with your RequestHolderAuthenticationFilter subclass and redefine the 'daoAuthenticationProvider' bean with your AuthenticationProvider implementation.

Burt

Frik

Re: Grails Spring-Core-Security: Adding ACCOUNT field for authentication

Hi,

I found the last piece to the puzzle. Thanks again for your help.

Kind regards,

Frik

On Nov 5, 2010, at 1:03 PM, Frik wrote:

Burt,

Thanks for all the details. I believe that I have everything working now except that I am not sure how to create the UserDetails object once the user is authenticated. I don't need a special UserDetails object after authentication, so the standard way of creating it is good. However, I am not sure how to do that.

The only method I see is protected:
protected UserDetails createUserDetails(user, Collection<GrantedAuthority> authorities) {

What is the best way to create the UserDetails object? I assume that I do not need to implement a custom UserDetailsService or custom UserDetails since I don't need anything special stored in it.

Thanks again,
Frik

On Nov 4, 2010, at 4:45 PM, burtbeckwith [via Grails] wrote:

Ordinarily customizing how users login is best solved with a custom UserDetailsService (section "11 Custom UserDetailsService" in the docs) but that won't work if you need to capture extra information when logging in.

I'd go with a subclass of UsernamePasswordAuthenticationFilter to capture the extra parameter and store it in a subclass of UsernamePasswordAuthenticationToken that has a field for the extra parameter. Then implement a custom AuthenticationProvider that uses all three to login.

You could subclass DaoAuthenticationProvider but it might be cleaner to merge that logic with your UserDetailsService code since it's partitioned in Spring Security for flexibility but you don't need that in your app.

Note that the plugin subclasses UsernamePasswordAuthenticationFilter with RequestHolderAuthenticationFilter so you need to extend that.

Redefine the 'authenticationProcessingFilter' bean in resources.groovy with your RequestHolderAuthenticationFilter subclass and redefine the 'daoAuthenticationProvider' bean with your AuthenticationProvider implementation.

Burt

View this message in context: Re: Grails Spring-Core-Security: Adding ACCOUNT field for authentication
Sent from the Grails - user mailing list archive at Nabble.com.