Can i put 3 different authentication schemes in same spring security configuration ?

Question

Hi, My requirement is to provide:

1. Userid password based authentication.
2. Open id based authentication
3. Url based authentication (its a custom sso impl we have)

in the same project.

I have tried to plug in Spring security into an existing project as (code stripped down for simplicity):

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation=
    "http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-2.0.1.xsd"&gt;

    <http auto-config="false">
     <remember-me user-service-ref="rememberMeUserService" key="some custom key" /> <!-- TODO: Key made for testing reasons.... -->
     <intercept-url pattern='/mainApplication/Main screen.html' access="ROLE_ADMIN"/>
     <intercept-url pattern='/**' filters="none"/> <!-- Allow entry to login screen -->
     <openid-login authentication-failure-url="/Login.html?error=true" default-target-url="/mainApplication/Main screen.html" user-service-ref="openIdUserService"/>
     <form-login login-page="/Login.html" authentication-failure-url="/Login.html?error=true" always-use-default-target="true" default-target-url="/mainApplication/Main screen.html"/>
    </http>

    <beans:bean id="rememberMeUserService" class="mypackage.CustomUserService">
     <beans:property name="usersService" ref="usersService"></beans:property>
    </beans:bean>

    <!-- Common login shared entry-point for both Form and OpenID based logins -->    
    <beans:bean id="entryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
     <beans:property name="loginFormUrl" value="/Login.html" />
    </beans:bean>
    <authentication-manager alias="authenticationManager"/>

    <beans:bean id="MyCustomAuthenticationProvider" class="mypackage.CustomAuthenticationProvider">
     <custom-authentication-provider />
     <beans:property name="usersService" ref="usersService"></beans:property>
    </beans:bean>

    <beans:bean id="openIdAuthenticationProvider" class="org.springframework.security.providers.openid.OpenIDAuthenticationProvider">
     <custom-authentication-provider />
     <beans:property name="userDetailsService" ref="openIdUserService"/>
    </beans:bean>

    <beans:bean id="openIdUserService" class="mypackage.OpenIDUserDetailsService">
     <beans:property name="usersService" ref="usersService"/>
    </beans:bean>

    <!-- Great, now i want to include SSO based sign on -->
    <!-- need to intercept a url of the form :   /myApp/customLogin/<key> where <key> is my token key   -->

</beans:beans>

as mentioned above, i need to track a url of the form : /myApp/customLogin/12345 where 1235 is the token key, we were initially using (code stripped down for simplicity)

<servlet-mapping>
    <servlet-name>mySSOCapture</servlet-name>
    <url-pattern>/myApp/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/MyServlet</url-pattern>
</servlet-mapping>

What should i do here to enable spring security to help me manage this third authentication scheme ?

a corollary question is : can i have many authentication providers in the same project ? if yes, then how can they be matched to different functionalities (eg one providing url based authentication, one providing anonomous auth, etc) ?

Answer 1

Can't answer the question directly, but a 'helpful hint' from the Identity Management sector: Not all authentication systems have the same trust value - It is a serious breach of good security design to treat them equally.

I hope this helps with your design...

Answer 2

There are probably several ways to do this. There is some functionality that does something very similar, namely Pre-authentication. It's a good example of a way that you can add a custom filter that authenticates the user, after which the rest of the framework should take over.

What an AuthenticationProvider does is examine the Authentication object that is loaded into the session by a previous filter. You can register as many authentication providers as you want with the authentication manager (which simply runs the Authentication object through all of them), but you have to manage to get some filter in there that will handle your authentication scheme and populate the Authentication object. If you want this filter to also interact with the user (i.e. show a login form or something) it might interfere with other filters. In that case you can use separate filter chains, but this doesn't sound like it would be necessary in your case.

Answer 3

Okay, here is the solution:

<beans:bean id="mySsoFilter" class="somePackage.MySsoProcessingFilter">
    <custom-filter after="CAS_PROCESSING_FILTER"/> <!-- Just a reference Point-->
    <beans:property name="authenticationManager" ref="authenticationManager"/>
    <beans:property name="defaultTargetUrl" value='/mainApplication/Main screen.html' />
    <beans:property name="authenticationFailureUrl" value="/Login.html?error=true"/>
</beans:bean>

Hope this helps someone in need...