Short-cut/Bypass Spring Security 2.0 authentication using custom AuthenticationManager

Question

For an existing working app, I want to provide a secondary AuthenticationProvider, probably with a DaoAuthenticationProvider. Let's say it's for authenticating a "back up" password, or a prior password that was changed due to strict password policies and the user forgot the new password. ;-)

For proof of concept, what would the implementation look like for this secondaryAuthenticationProvider that will always authenticate the user regardless of the incoming credentials? (something that returns an authenticated Authentication object)

Which one of the MANY org.springframework.security.providers & subpackage classes and methods should I look at?

Example config:

<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
  <property name="providers">
    <list>
      <ref local="daoAuthenticationProvider"/>
      <ref local="secondaryAuthenticationProvider"/> <!-- new AuthProv -->
      <ref local="rememberMeAuthenticationProvider"/>
    </list>
  </property>
</bean>

Answer 1

If you have only one alternative password, you can declare a second DaoAuthenticationProvider backed by a special UserDetailsService, which will produce UserDetails with that alternative password.

Otherwise, you can create a custom AuthenticationProvider. Credentials check in DaoAuthenticationProvider occurs in additionalAuthenticationChecks(), so if you want to change that logic you can create a subclass of DaoAuthenticationProvider and override this method with your implementation.

For example, if you want to authenticate the user regardless of its credentials, you can override this method with an empty implementation.

Answer 2

Sounds to me like you should just create your own UserDetailsService that has this behavior - that would be by far the easiest way to do it.