|
|
@@ -1,95 +0,0 @@
|
|
|
-<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dao-provider">
|
|
|
- <info>
|
|
|
- <title>DAO Authentication Provider</title>
|
|
|
- </info>
|
|
|
- <section xml:id="dao-provider-overview">
|
|
|
- <info>
|
|
|
- <title>Overview</title>
|
|
|
- </info>
|
|
|
- <para>Spring Security includes a production-quality
|
|
|
- <classname>AuthenticationProvider</classname> implementation called
|
|
|
- <literal>DaoAuthenticationProvider</literal>. This authentication provider is compatible
|
|
|
- with all of the authentication mechanisms that generate a
|
|
|
- <literal>UsernamePasswordAuthenticationToken</literal>, and is probably the most
|
|
|
- commonly used provider in the framework. Like most of the other authentication
|
|
|
- providers, the DaoAuthenticationProvider leverages a UserDetailsService in order to
|
|
|
- lookup the username, password and GrantedAuthority[]s. Unlike most of the other
|
|
|
- authentication providers that leverage UserDetailsService, this authentication provider
|
|
|
- actually requires the password to be presented, and the provider will actually evaluate
|
|
|
- the validity or otherwise of the password presented in an authentication request
|
|
|
- object.</para>
|
|
|
- </section>
|
|
|
- <section xml:id="dao-provider-config">
|
|
|
- <info>
|
|
|
- <title>Configuration</title>
|
|
|
- </info>
|
|
|
- <para>Aside from adding DaoAuthenticationProvider to your ProviderManager list (as discussed
|
|
|
- at the start of this part of the reference guide), and ensuring a suitable
|
|
|
- authentication mechanism is configured to present a UsernamePasswordAuthenticationToken,
|
|
|
- the configuration of the provider itself is rather simple:</para>
|
|
|
- <para> <programlisting>
|
|
|
- <![CDATA[
|
|
|
-<bean id="daoAuthenticationProvider"
|
|
|
- class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
|
|
|
- <property name="userDetailsService" ref="inMemoryDaoImpl"/>
|
|
|
- <property name="saltSource" ref bean="saltSource"/>
|
|
|
- <property name="passwordEncoder" ref="passwordEncoder"/>
|
|
|
-</bean> ]]>
|
|
|
- </programlisting> </para>
|
|
|
- <para>The <literal>PasswordEncoder</literal> and <literal>SaltSource</literal> are optional.
|
|
|
- A <literal>PasswordEncoder</literal> provides encoding and decoding of passwords
|
|
|
- presented in the <interfacename>UserDetails</interfacename> object that is returned from
|
|
|
- the configured <interfacename>UserDetailsService</interfacename>. A
|
|
|
- <literal>SaltSource</literal> enables the passwords to be populated with a "salt", which
|
|
|
- enhances the security of the passwords in the authentication repository.
|
|
|
- <literal>PasswordEncoder</literal> implementations are provided with Spring Security
|
|
|
- covering MD5, SHA and cleartext encodings. Two <literal>SaltSource</literal>
|
|
|
- implementations are also provided: <literal>SystemWideSaltSource</literal> which encodes
|
|
|
- all passwords with the same salt, and <literal>ReflectionSaltSource</literal>, which
|
|
|
- inspects a given property of the returned <interfacename>UserDetails</interfacename>
|
|
|
- object to obtain the salt. Please refer to the JavaDocs for further details on these
|
|
|
- optional features.</para>
|
|
|
- <para>In addition to the properties above, the <literal>DaoAuthenticationProvider</literal>
|
|
|
- supports optional caching of <interfacename>UserDetails</interfacename> objects. The
|
|
|
- <literal>UserCache</literal> interface enables the
|
|
|
- <literal>DaoAuthenticationProvider</literal> to place a
|
|
|
- <interfacename>UserDetails</interfacename> object into the cache, and retrieve it from
|
|
|
- the cache upon subsequent authentication attempts for the same username. By default the
|
|
|
- <literal>DaoAuthenticationProvider</literal> uses the <literal>NullUserCache</literal>,
|
|
|
- which performs no caching. A usable caching implementation is also provided,
|
|
|
- <literal>EhCacheBasedUserCache</literal>, which is configured as follows:</para>
|
|
|
- <para> <programlisting><![CDATA[
|
|
|
-<bean id="daoAuthenticationProvider"
|
|
|
- class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
|
|
|
- <property name="userDetailsService" ref="userDetailsService"/>
|
|
|
- <property name="userCache" ref="userCache"/>
|
|
|
-</bean>
|
|
|
-
|
|
|
-<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
|
|
|
- <property name="configLocation" value="classpath:/ehcache-failsafe.xml"/>
|
|
|
-</bean>
|
|
|
-
|
|
|
-<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
|
|
|
- <property name="cacheManager" ref="cacheManager"/>
|
|
|
- <property name="cacheName" value="userCache"/>
|
|
|
-</bean>
|
|
|
-
|
|
|
-<bean id="userCache"
|
|
|
- class="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache">
|
|
|
- <property name="cache" ref="userCacheBackend"/>
|
|
|
-</bean>]]>
|
|
|
- </programlisting> </para>
|
|
|
- <para>All Spring Security EH-CACHE implementations (including
|
|
|
- <literal>EhCacheBasedUserCache</literal>) require an EH-CACHE <literal>Cache</literal>
|
|
|
- object. The <literal>Cache</literal> object can be obtained from wherever you like,
|
|
|
- although we recommend you use Spring's factory classes as shown in the above
|
|
|
- configuration. If using Spring's factory classes, please refer to the Spring
|
|
|
- documentation for further details on how to optimise the cache storage location, memory
|
|
|
- usage, eviction policies, timeouts etc.</para>
|
|
|
- <note>
|
|
|
- <para>In the majority of cases, where your application is a stateful web application,
|
|
|
- you don't need to use a cache as the user's authentication information will be
|
|
|
- stored in the <literal>HttpSession</literal>. </para>
|
|
|
- </note>
|
|
|
- </section>
|
|
|
-</chapter>
|
Luke Taylor