Custom authentication

Question

My system has 2 subsystems. Each subsystem has different set of users. Each user has an extra field "SystemName" that can be used to know which system this user belongs to.

In the login forms (1 form for each subsystem) I added a hidden field specifying the type of the form (containing the SystemName value).

Generally, the check is rather simple:

if (user.systemName == params.systemName) {
    proceed with regular login
} else {
    throw standard login error
}

I tried putting that check to my custom DaoAuthenticationProvider but it has no access to "params.systemName".

Where do I put that code to make Acegi authenticate my users with this check?

Thanks in advance.

Answer 1

This is how I did it in Java. Extend WebAuthenticationDetails:

import javax.servlet.http.HttpServletRequest;
import org.acegisecurity.ui.WebAuthenticationDetails;

public class SystemNameWebAuthenticationDetails extends WebAuthenticationDetails {

    public SystemNameWebAuthenticationDetails() {
        super();
    }

    public SystemNameWebAuthenticationDetails(HttpServletRequest request) {
        super(request);
        this.systemName = request.getParameter("systemName");
    }

    public String getSystemName() {
        return systemName;
    }

    private String systemName;
}

Set it in the authentication filter:

<bean id="authenticationProcessingFilter"
      class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
      ...
      <property name="authenticationDetailsSource">
        <bean class="org.acegisecurity.ui.AuthenticationDetailsSourceImpl">
            <property name="clazz" value="SystemNameWebAuthenticationDetails"/>
        </bean>
      </property>
</bean>

Later you can access that property in the authentication process asking the details to the authentication object. Or doing this:

SecurityContextHolder.getContext().getAuthentication().getDetails()