I need a simple custom authentication in spring

Question

I need to have a custom authentication in spring, it should be a simple class that takes the username and password provided by a user and compares it with some values and based on that it should authenticate.

We are using a system made in GWT, our login form, on success, opens another page in a new window.

This is what i have attempted so far: file: application-context Security:

...
<http auto-config="true">
           <intercept-url pattern='/*Login.html' access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <intercept-url pattern='/**/*MainScreen.html' access="ROLE_ADMIN"/>   
        <form-login login-page="/Login.html"/><!-- This is the default login page -->
    </http>
<authentication-provider>
        <user-service>
            <user name="test1" password="abc" authorities="ROLE_ADMIN" />
            <user name="test2" password="test" authorities="ROLE_ADMIN" />
        </user-service>
</authentication-provider>
...

Custom login code (on clicking ok button):

        RequestBuilder requestBuilder = new RequestBuilder(RequestBuilder.POST,"j_spring_security_check");
        requestBuilder.setHeader("Content-Type", "application/x-www-form-urlencoded");
        //-- sending the username and the password in designated fields.
        //Hard coding values for testing reasons:
        requestBuilder.setRequestData("j_username=test1" +
                        "&j_password=abc");

        requestBuilder.setCallback(new RequestCallback() {
            public void onError(Request request, Throwable exception)
            {
                Window.alert("ERROR !!!"+exception.getMessage());
            }
            public void onResponseReceived(Request request, Response response)
            {
                if (response.getStatusCode() != Response.SC_UNAUTHORIZED && response.getStatusCode() != Response.SC_OK)
                { 
                    onError(request, new RequestException(response.getStatusText() + ":\n" + response.getText())); 
                    return; 
                }

                if (response.getStatusCode() == Response.SC_UNAUTHORIZED)
                { 
                    //This code is never encountered !! :((
                    Window.alert("You have entered an incorrect username or password. Please try again."); 
                }
                else
                { 
                    String height = 800+"";
                    String width = 600+"";

                    Window.alert("Authorisation succeeded, you may enter....");
                    Window.open("MainScreen.html", "Main screen!!", "height=" + height + ",width=" + width
                                    + ",scrollbars=yes,resizable=yes,titlebar=no,toolbar=no,status=yes,close=no,left=0,top=0");
                } 

            }
        });
        requestBuilder.send();

Problems:

1. Incorrect login: it shows success and opens popup containing login screen !! (obviously login didn't succeed but login screen was unable to detect that)
2. I don't want to hard code the values in authentication-provider, is there another way such that I provide my own class ? I tried several tutorials but in vain, all of them seem to point to me allowing spring to do the work of comparison via a database or some other kind of file, can't I do it myself ?

Answer 1

Sounds to me like you need to write your own UserDetailsService. This is the Spring Security interface which populates the SecurityContext.getPrincipal() with the UserDetails. If, by the end of the Security Filter Chain this object has not been populated then Spring will throw an Authorization Exception which can be caught and the user can be re-directed to another page/part of the application.