Spring Security
  1. Spring Security
  2. SEC-1564

Create AuthenticationpProvider that allows JAAS Configuration to be Injected

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.0.M1
    • Fix Version/s: 3.1.0.M2
    • Component/s: Core
    • Labels:
      None

      Description

      An enhancement to Spring Security to provide an AuthenticationProvider that allows a JAAS Configuration object to be injected into it would provide significant value. This enhancement would allow for using a LoginModule without requiring Configuration.getConfiguration() to be Sun's ConfigFile implementation of Configuration. This in turn would allow JAAS support to be configured solely in Spring configuration. Additionally, it would allow for Spring Security to support LoginModules on any JDK/Application Server without needing to extend any classes.

      I have implemented a patch that contains:

      • Passive refactoring of the JaasAuthenticationProvider to extend a new class named AbstractJaasAuthenticationProvider
      • A new AuthenticationProvider named DefaultJaasAuthenticationProvider that allows any Configuration to be injected into it. It then creates the LoginContext using the injected Configuration.
      • InMemoryConfiguration which is an implementation of JAAS Configuration that can be configured by injecting a Map into it. This allows the entire JAAS configuration to be specified within Spring config easily.
      • Testing - I have added testing for the code that I have added and left the existing tests in tact to ensure passivity.
      • Documentation - I have updated the JAAS portion of the reference guide to include documentation on how to use the new functionality.
      • spring-security-samples-jaas - I have added a sample project for JAAS demonstrating the new functionality. I have also updated the documentation to reference the JAAS sample in the samples chapter. I understand if this example is not really desired and it can be removed, but thought it would demo the functionality nicely for this patch. The patch has two different commits so you should be able to cherry pick the first commit if you do not want the samples included.
      • Updates to the build files (i.e. to include the samples and to include compileOnly for testCompile).

      Possible improvements:

      Creating an InMemoryConfiguration with standard Spring configuration is rather verbose, so adding a new PropertyEditor(s) for creating JAAS Configuration along with namespace support might be a nice enhancement to the patch. If this is desired, let me know and I would be glad to provide it.

      I would really like to see this functionality included in the 3.1 release, so if there is anything I can do to improve the likelihood of this happening please let me know.

      1. jaas.patch
        85 kB
        Rob Winch
      2. jaas-jdk5fix.patch
        86 kB
        Rob Winch

        Activity

        Hide
        Rob Winch added a comment -

        An updated patch that includes an empty refresh method for InMemoryConfiguration in order to work with JDK5.

        Show
        Rob Winch added a comment - An updated patch that includes an empty refresh method for InMemoryConfiguration in order to work with JDK5.

          People

          • Assignee:
            Rob Winch
            Reporter:
            Rob Winch
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: