21

How can I define a custom Authentication provider by using Spring Security with Java Configurations? I would like to perform a login checking credentials on my own database.

vdenotaris
  • 13,297
  • 26
  • 81
  • 132
  • spring security documentations gives you all the info you need - how to configure your configuration' XML and endpoints. in addition, you will have to support flows like "create account", "forgot password", etc, which you can use this open source: https://github.com/OhadR/oAuth2-sample/tree/master/authentication-flows – OhadR Mar 24 '14 at 10:37

2 Answers2

45

The following does what you need (CustomAuthenticationProvider is your implementation which needs to be managed by Spring)

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private CustomAuthenticationProvider customAuthenticationProvider;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        /**
         * Do your stuff here
         */
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(customAuthenticationProvider);
    }
}
geoand
  • 60,071
  • 24
  • 172
  • 190
  • 1
    Is it possible to register a custom authentication provider in addition to the existing ones? – Display name Jun 10 '16 at 10:23
  • @Seppl I dont think that something like that exists out of the box (although I could easily be mistaked), but I'm pretty sure that something like that could be implemented relatively easily. Check out [this](http://stackoverflow.com/a/36417101/2504224) – geoand Jun 10 '16 at 11:04
  • 1
    According to the Spring Docu, `auth.authenticationProvider()` will "Add authentication based upon the custom AuthenticationProvider that is passed in." I'd guess that you get a stack of providers in this way. – Christoph Grimmer Sep 20 '17 at 11:40
8

As shown on baeldung.com, define your authentication provider as follow:

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

    @Override
    public Authentication authenticate(Authentication authentication) 
      throws AuthenticationException {

        String name = authentication.getName();
        String password = authentication.getCredentials().toString();

        if (shouldAuthenticateAgainstThirdPartySystem(username, password)) {

            // use the credentials
            // and authenticate against the third-party system
            return new UsernamePasswordAuthenticationToken(
              name, password, new ArrayList<>());
        } else {
            return null;
        }
    }

    @Override
    public boolean supports(Class<?> authentication) {
        return authentication.equals(
          UsernamePasswordAuthenticationToken.class);
    }
}

and following code is corresponding java config:

@Configuration
@EnableWebSecurity
@ComponentScan("org.project.security")
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private CustomAuthenticationProvider authProvider;

    @Override
    protected void configure(
      AuthenticationManagerBuilder auth) throws Exception {

        auth.authenticationProvider(authProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated()
            .and()
            .httpBasic();
    }
}
moritz
  • 2,448
  • 1
  • 20
  • 25
M2E67
  • 937
  • 7
  • 23
  • 7
    You just copied that straight from http://www.baeldung.com/spring-security-authentication-provider . While the answer is certainly helpful, attributing sources is necessary as well. – moritz Aug 07 '17 at 10:10