Is it possible to use two different AuthenticationProvider's with WebSecurityConfigurerAdapter?

Related searches

I have a SpringBoot based app, with multiple endpoints. Because of different clients that will be accessing the endpoints I would like to have different Authentication providers protecting them. Some endpoints would be protected by Kerberos (KerberosServiceAuthenticationProvider -- http://docs.spring.io/autorepo/docs/spring-security-kerberos/1.0.0.RC1/reference/htmlsingle/). Some endpoints would be protected by AD/LDAP (ActiveDirectoryLdapAuthenticationProvider).

I currently have it working with Kerberos OR LDAP, but not both:

@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected class ApplicationSecurity extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

//For Kerberos
        auth.authenticationProvider(kerberosAuthenticationProvider())
            .authenticationProvider(kerberosServiceAuthenticationProvider());
//For LDAP  
        //auth.authenticationProvider(customAuthenticationProvider());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                    .antMatchers(HttpMethod.GET, APPLICATION_ADMIN_ENDPOINTS)
                    .permitAll()
                    .and()
                .authorizeRequests()
                    .antMatchers(HttpMethod.PUT, APPLICATION_ADMIN_ENDPOINTS)
                    .hasAnyAuthority(AUTHENTICATED_APPLICATION_ADMIN_AUTHORITIES)
                    .and()
                .authorizeRequests()
                    .antMatchers(HttpMethod.DELETE, APPLICATION_ADMIN_ENDPOINTS)
                    .hasAnyAuthority(AUTHENTICATED_APPLICATION_ADMIN_AUTHORITIES)
                    .and()
                .authorizeRequests()
                    .antMatchers(CLIENT_ENDPOINTS)
                    .permitAll()
                    .and()
                .authorizeRequests()
                    .antMatchers(SWAGGER_ENDPOINTS)
                    .permitAll()
                    .and()
                .authorizeRequests()
                    .antMatchers(MANAGER_ENDPOINTS)
                    .hasAnyAuthority(AUTHENTICATED_MANAGER_AUTHORITIES)
                    .and()
                .authorizeRequests()
                    .antMatchers(TRUSTED_AGENT_ENDPOINTS)
                    .hasAnyAuthority(AUTHENTICATED_TRUSTED_AGENT_AUTHORITIES)
                    .and()
                .authorizeRequests()
                    .antMatchers("/kerb/**")
                    .hasAnyAuthority(AUTHENTICATED_APPLICATION_ADMIN_AUTHORITIES)
                    .and()
                .addFilterBefore(spnegoAuthenticationProcessingFilter(authenticationManagerBean()), BasicAuthenticationFilter.class)
                .httpBasic()
                    .and()
                .csrf()
                    .disable();
    }
}

@Bean
public AuthenticationProvider customAuthenticationProvider() {
    ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(
            ldapDomain, ldapUrl);
    SimpleCaseAndWhitespaceMitigatingAuthoritiesMapper authoritiesMapper = new SimpleCaseAndWhitespaceMitigatingAuthoritiesMapper();
    provider.setAuthoritiesMapper(authoritiesMapper);
    provider.setConvertSubErrorCodesToExceptions(true);
    return provider;
}

@Bean
public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
    KerberosAuthenticationProvider provider = new KerberosAuthenticationProvider();
    SunJaasKerberosClient client = new SunJaasKerberosClient();
    client.setDebug(true);
    provider.setKerberosClient(client);
    provider.setUserDetailsService(kerberosUserService());
    return provider;
}

@Bean
public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
    KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
    provider.setTicketValidator(sunJaasKerberosTicketValidator());
    provider.setUserDetailsService(kerberosUserService());
    return provider;
}

@Bean
public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
    SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
    ticketValidator.setServicePrincipal(kerberosPrincipal);
    File f = new File(keytabFile);
    try {
        LOG.info(String.format("Absolute: %s, Canonical: %s", f.getAbsolutePath(), f.getCanonicalPath()));
        if(f.exists()){
            LOG.info("File exists.");
        }
        else{
            LOG.info("File DOES NOT exist.");
        }
    } catch (IOException e) {
        e.printStackTrace();
    }
    ticketValidator.setKeyTabLocation(new FileSystemResource(f));
    ticketValidator.setDebug(true);
    return ticketValidator;
}

@Bean
public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(AuthenticationManager authenticationManager) {
    SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
    filter.setAuthenticationManager(authenticationManager);
    return filter;
}

@Bean
public KerberosUserDetailsService kerberosUserService() {
    return new KerberosUserDetailsService();
}

Anyway to get this to work for both? I was thinking about making a custom authentication provider that would handle the requests, but wasn't sure if that would work.

Easiest think to do is have to SpringDistpatcherServlets in your Web.xml based on url mapping. Each url mapping is then in a different spring context. Each spring context can then have its own security.

Multiple Authentication Providers in Spring Security, Learn how to use multiple authentication providers within Spring Security. Other Tutorials and Guides For a quick demonstration, we'll configure two authentication providers – a custom authentication provider and an in-memory application. Access will be allowed only if valid credentials are supplied:� Simply put, when multiple authentication providers are defined, the providers will be queried in the order they're declared. For a quick demonstration, we'll configure two authentication providers – a custom authentication provider and an in-memory authentication provider. 3. Maven Dependencies

 public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(kerberosAuthenticationProvider());
auth.authenticationProvider(kerberosServiceAuthenticationProvider());
    auth.authenticationProvider(customAuthenticationProvider());
}

Customizing Spring Security with Multiple Authentications, The Security module in the Spring framework enables us to plug in different authentication mechanisms. In some cases Enabling SPNEGO Authentication using Spring Security authenticationProvider(kerberosAuthenticationProvider ()) . The way to allow users to select between multiple authentication sources is to use a "discovery page" in the SSO settings under Authentication. Each different authentication provider that you set up in Canvas gets its own URL assigned  So, set up both SAML and CAS providers, and make note of the URLs.

Using Multiple Authentication Providers, To understand how multiple providers interact with each other, you'll first need to External authentication providers: When an external authentication provider is Possible errors include the LDAP server being offline, certificate errors, or any � There is no technical reason why you shouldn’t be able to have two (or more) internet connections from different Internet Service Providers (ISP) or even from the same ISP.

[PDF] Custom Authentication Provider Developer Guide, and queries, schedule and deploy reports and other objects, and administer IBM implement a custom authentication provider, you must have knowledge of the It is possible that multiple instances of the provider are created for a single� Spring security multiple userdetailsservice. Spring Security multiple UserDetailsService, Also, have 3 different URL for authorization. Is it possible to use multiple UserDetailsService with one configuration and during authorization We Reviewed And Ranked Our Best 5 Security Systems.

Spring Security, You can get hold of Spring Security in several ways. You can have multiple < authentication-provider> elements to define different authentication sources and � Is it possible to use a different Spring Security AuthenticationProvider in different servlets, same WAR? stackoverflow.com. I have a single WAR that runs two servlets. One provides AMF remoting to Flex clients and other SOAP/HTTP to web service clients. I currently have Spring Security configured

Is it possible to use CAS and SAML simultaneously for authentication? I'm only seeing options to position them (1,2 3, 4 etc.), with "1" as a default.

Comments
  • What exactly do you want to do? Have some endpoints use kerberos and others your custom AD authentication OR have both available on all endpoints? What error did you experience when using both together, e.g. auth.authenticationProvider(kerberosAuthenticationProvider()).authenticationProvider(kerberosServiceAuthenticationProvider()).authenticationProvider(customAuthenticationProvider());
  • Welcome to Stack Overflow. Please review How do I write a good answer. Adding a brief explanation would have been good.