Home/ Questions/Q 3879884
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T22:46:45+00:00

In our app spring security uses ldap as a provider. i am working on

  • 0

In our app spring security uses ldap as a provider.

i am working on a change that will let you flip a flag in dev that will allow you to log in if your user/pass matches a value from database. the ldap server might be down and you can still log in.

What ive realized though is that some urls are secured with

@Secured( {"ROLE_USER","ROLE_MERCHANT"})

so i need to still have some dealings with spring security in order for my logins to work. How do i go about doing this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can configure 2 providers: one LDAP provider and another DAO provider.

    <sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref="yourLdapAuthenticationProvider" />
    <sec:authentication-provider ref="yourDaoAuthenticationProvider" />
</sec:authentication-manager>

    If the LDAP fails, it will fall back to DAO authentication provider.

    You will need to configure your own authentication filter to inject that flag into yourDaoAuthenticationProvider so that when the authentication falls back to yourDaoAuthenticationProvider, it can check whether to proceed with further authentication (say, in development) or ignore it (say, in production). So, in your authenticationFilter, override setDetails() to store the flag:-

    myAuthenticationFilter bean

    @Override
protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) {
    YourObject yourObject = new YourObject(request.getParameter("devAuthAgainstDAO"));
    authRequest.setDetails(yourObject);
}

    With this, have your yourDaoAuthenticationProvider to check against this flag before proceeding with further authentication.

    In the end, your configuration will look something like this:-

    <sec:http auto-config="false" entry-point-ref="loginUrlAuthenticationEntryPoint">
    <sec:logout logout-success-url="/login.jsp"/>
    <sec:intercept-url ... />

    <sec:custom-filter position="FORM_LOGIN_FILTER" ref="myAuthenticationFilter"/>
</sec:http>

<bean id="myAuthenticationFilter" class="[YOUR_CUSTOM_AUTHENTICATION_FILTER]">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationFailureHandler" ref="failureHandler"/>
    <property name="authenticationSuccessHandler" ref="successHandler"/>
</bean>

<bean id="loginUrlAuthenticationEntryPoint"
      class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <property name="loginFormUrl" value="/login.jsp"/>
</bean>

<bean id="successHandler"
      class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <property name="defaultTargetUrl" value="/welcome.jsp"/>
    <property name="alwaysUseDefaultTargetUrl" value="true"/>
</bean>

<bean id="failureHandler"
      class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <property name="defaultFailureUrl" value="/login.jsp?login_error=1"/>
</bean>


<bean id="yourLdapAuthenticationProvider" ... />

<bean id="yourDaoAuthenticationProvider" ... />

<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref="yourLdapAuthenticationProvider"/>
    <sec:authentication-provider ref="yourDaoAuthenticationProvider"/>
</sec:authentication-manager>
    • 0