0

I'm using spring 4 with annotation based configuration and I'm trying to get the spring security 4 remember-me (PersistentTokenRepository) feature working alongside my custom AuthenticationProvider.

At the official spring security documentation (http://docs.spring.io/spring-security/site/docs/current/reference/html/remember-me.html) there is a hint that you must have a UserDetailsService.

Is there a way to bypass this restriction? Because I need this custom AuthenticationProvider to check an authentication chain (LDAP, Database(s) etc) for different conditions until a user is allowed to log in. I don't think I can mimic this behaviour with a UserDetailsService. Or am I wrong? Any ideas are appreciated.

Oli
  • 1
  • 1
  • Why would you need a custom authentication provider for that? Spring Security already supports multiple mechanisms at once... But indeed you need a `UserDetailsService` for remember me functionality because that is the way the user details are retrieved when using remember me functionality. – M. Deinum Jan 20 '16 at 14:30
  • Thanks for your answer. But how can I achieve that assuming the following conditions: One user group is allowed to login with a fixed username/ password (demo user). Another group is allowed to login if the LDAP login is return ok AND a LDAP attribute is set AND if an additional database value is set. The last group is allowed if LDAP is returning ok BUT the LDAP attribute is not set. How to handle this without an AuthenticationProvider? Thanks – Oli Jan 20 '16 at 15:16
  • I nowhere said you don't need an `AuthenticationProvider` I merely pointed out you probably don't need a custom one. Spring Security has a highly customizable `LdapProvider` already and the default `AuthenticationManager` is perfectly capable of chaining multiple `AuthenticationProvider`s. But still the remember-me functionality needs a `UserDetailsService` unless you implement your own functionality. – M. Deinum Jan 20 '16 at 19:20
  • Ok now I'm a bit lost ;). Can you please provide some pseudocode / code snippets on how to use the "multiple mechanisms" you mentioned for this complex login scenario without implementing a custom AuthenticationProvider? Because I've read here at stackoverflow (http://stackoverflow.com/questions/24745528/spring-security-ldap-and-remember-me) that you shouldn't use an AuthenticationProvider and an UserDetailsService at once (causing infinite loops). So I'm not sure how to combine these to support a multi level login scenario as described and still be able to use remember me. – Oli Jan 22 '16 at 13:41
  • Build your own remember me solution ... – M. Deinum Jan 22 '16 at 13:57
  • Can you name a starting point? Is there any useful interface to implement so that it hooks into spring security (during login and logout)? – Oli Jan 25 '16 at 15:10

0 Answers0