Spring Security
  1. Spring Security
  2. SEC-1602

authentication-provider should have child usercache

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.3, 3.1.0.M1
    • Fix Version/s: 3.1.0.M2
    • Component/s: Namespace
    • Labels:
      None

      Description

      now,my configuration file like this:

      <authentication-manager>
      <authentication-provider ref="daoAuthenticationProvider">
      <password-encoder hash="sha" base64="true">
      <salt-source user-property="username" />
      </password-encoder>
      <usercache ref="userEHCache"/>
      </authentication-provider>
      </authentication-manager>

      <beans:bean id="daoAuthenticationProvider"
      class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
      <beans:property name="userDetailsService" ref="userDetailsService" />
      <beans:property name="userCache">
      <beans:bean
      class="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache">
      <beans:property name="cache" ref="userEHCache" />
      </beans:bean>
      </beans:property>
      </beans:bean>

      <beans:bean id="userEHCache"
      class="org.springframework.cache.ehcache.EhCacheFactoryBean">
      <beans:property name="cacheManager" ref="cacheManager"></beans:property>
      <beans:property name="cacheName" value="userCache"></beans:property>
      </beans:bean>

      <beans:bean id="cacheManager"
      class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
      <beans:property name="configLocation" value="classpath:ehcache_user.xml"></beans:property>
      </beans:bean>

      why do not provide a usercache config in node <authentication-provider>,the simple file maybe like this:

      <authentication-manager>
      <authentication-provider ref="daoAuthenticationProvider">
      <password-encoder hash="sha" base64="true">
      <salt-source user-property="username" />
      </password-encoder>
      <usercache ref="userEHCache"/>
      </authentication-provider>
      </authentication-manager>

      <beans:bean id="userEHCache"
      class="org.springframework.cache.ehcache.EhCacheFactoryBean">
      <beans:property name="cacheManager" ref="cacheManager"></beans:property>
      <beans:property name="cacheName" value="userCache"></beans:property>
      </beans:bean>

      <beans:bean id="cacheManager"
      class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
      <beans:property name="configLocation" value="classpath:ehcache_user.xml"></beans:property>
      </beans:bean>

        Activity

        Hide
        Luke Taylor added a comment -

        Both the configurations you've posted appear to be the same...

        It isn't possible to guarantee that the referenced AuthenticationProvider is compatible with a cache (it might use LDAP, for example) so providing caching at the AuthenticationProvider level isn't practical. There is already a cache-ref element available on for use with user-service elements, but I would generally recommend you configure the beans explicitly as it is clearer what is going on.

        Show
        Luke Taylor added a comment - Both the configurations you've posted appear to be the same... It isn't possible to guarantee that the referenced AuthenticationProvider is compatible with a cache (it might use LDAP, for example) so providing caching at the AuthenticationProvider level isn't practical. There is already a cache-ref element available on for use with user-service elements, but I would generally recommend you configure the beans explicitly as it is clearer what is going on.
        Hide
        shydow lee added a comment -

        sorry about my post,i repeat my option again.

        now my configuration is :

        <authentication-manager>
        <authentication-provider ref="daoAuthenticationProvider"></authentication-provider>
        </authentication-manager>

        <beans:bean id="daoAuthenticationProvider"
        class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <beans:property name="userDetailsService" ref="gacUserDetailsService" />
        <beans:property name="userCache" ref="userCache"></beans:property>
        <beans:property name="passwordEncoder" ref="passwordEncoder"></beans:property>
        <beans:property name="saltSource" ref="saltSource"></beans:property>
        </beans:bean>

        <beans:bean id="userCache" class="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache">
        <beans:property name="cache" ref="userEHCache" />
        </beans:bean>

        <beans:bean id="userEHCache"
        class="org.springframework.cache.ehcache.EhCacheFactoryBean">
        <beans:property name="cacheManager" ref="cacheManager"></beans:property>
        <beans:property name="cacheName" value="userCache"></beans:property>
        </beans:bean>

        <beans:bean id="cacheManager"
        class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
        <beans:property name="configLocation" value="classpath:ehcache_user.xml"></beans:property>
        </beans:bean>

        <beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
        <beans:constructor-arg value="256"></beans:constructor-arg>
        </beans:bean>

        <beans:bean id="saltSource" class="org.springframework.security.authentication.dao.SystemWideSaltSource">
        <beans:property name="systemWideSalt" value="gac"></beans:property>
        </beans:bean>

        i think if you config like this :
        <authentication-provider user-service-ref="gacUserDetailsService">
        <password-encoder hash="sha">
        <salt-source system-wide="gac"/>
        </password-encoder>
        </authentication-provider>

        you means use UserDetailsService interface,in java doc there is a discription like this:

        Core interface which loads user-specific data.

        It is used throughout the framework as a user DAO and is the strategy used by the DaoAuthenticationProvider.

        The interface requires only one read-only method, which simplifies support for new data-access strategies.

        so ,i think when you use authentication-provider and user-service-ref,it maybe better add child user-cache to authentication-provider node. the configuration will like this:

        <authentication-manager>
        <authentication-provider user-service-ref="gacUserDetailsService">
        <password-encoder hash="sha">
        <salt-source system-wide="gac"/>
        </password-encoder>
        <user-cache ref="userCache"></user-cache>
        </authentication-provider>
        </authentication-manager>
        <beans:bean id="userCache" class="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache">
        <beans:property name="cache" ref="userEHCache" />
        </beans:bean>

        <beans:bean id="userEHCache"
        class="org.springframework.cache.ehcache.EhCacheFactoryBean">
        <beans:property name="cacheManager" ref="cacheManager"></beans:property>
        <beans:property name="cacheName" value="userCache"></beans:property>
        </beans:bean>

        <beans:bean id="cacheManager"
        class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
        <beans:property name="configLocation" value="classpath:ehcache_user.xml"></beans:property>
        </beans:bean>

        if you want to use ldap,UserDetailsService is not for you,so i think it could be work.

        Show
        shydow lee added a comment - sorry about my post,i repeat my option again. now my configuration is : <authentication-manager> <authentication-provider ref="daoAuthenticationProvider"></authentication-provider> </authentication-manager> <beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <beans:property name="userDetailsService" ref="gacUserDetailsService" /> <beans:property name="userCache" ref="userCache"></beans:property> <beans:property name="passwordEncoder" ref="passwordEncoder"></beans:property> <beans:property name="saltSource" ref="saltSource"></beans:property> </beans:bean> <beans:bean id="userCache" class="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache"> <beans:property name="cache" ref="userEHCache" /> </beans:bean> <beans:bean id="userEHCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> <beans:property name="cacheManager" ref="cacheManager"></beans:property> <beans:property name="cacheName" value="userCache"></beans:property> </beans:bean> <beans:bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"> <beans:property name="configLocation" value="classpath:ehcache_user.xml"></beans:property> </beans:bean> <beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"> <beans:constructor-arg value="256"></beans:constructor-arg> </beans:bean> <beans:bean id="saltSource" class="org.springframework.security.authentication.dao.SystemWideSaltSource"> <beans:property name="systemWideSalt" value="gac"></beans:property> </beans:bean> i think if you config like this : <authentication-provider user-service-ref="gacUserDetailsService"> <password-encoder hash="sha"> <salt-source system-wide="gac"/> </password-encoder> </authentication-provider> you means use UserDetailsService interface,in java doc there is a discription like this: Core interface which loads user-specific data. It is used throughout the framework as a user DAO and is the strategy used by the DaoAuthenticationProvider. The interface requires only one read-only method, which simplifies support for new data-access strategies. so ,i think when you use authentication-provider and user-service-ref,it maybe better add child user-cache to authentication-provider node. the configuration will like this: <authentication-manager> <authentication-provider user-service-ref="gacUserDetailsService"> <password-encoder hash="sha"> <salt-source system-wide="gac"/> </password-encoder> <user-cache ref="userCache"></user-cache> </authentication-provider> </authentication-manager> <beans:bean id="userCache" class="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache"> <beans:property name="cache" ref="userEHCache" /> </beans:bean> <beans:bean id="userEHCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> <beans:property name="cacheManager" ref="cacheManager"></beans:property> <beans:property name="cacheName" value="userCache"></beans:property> </beans:bean> <beans:bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"> <beans:property name="configLocation" value="classpath:ehcache_user.xml"></beans:property> </beans:bean> if you want to use ldap,UserDetailsService is not for you,so i think it could be work.
        Hide
        Luke Taylor added a comment -

        As I said, there is already a cache-ref attribute available which allows you to associate a cache with a UserDetailsService and I don't really want to add another cache-related namespace construct. Caching may also be required in other situations where a UserDetailsService is used (not just with DAO authentication), so associating one with an authentication-provider is not sufficient.

        Personally I would favour making the configuration explicit as it is clearer how the cache is being used and there is too much going on behind the scenes with the current namespace approach and it doesn't provide much benefit.

        Show
        Luke Taylor added a comment - As I said, there is already a cache-ref attribute available which allows you to associate a cache with a UserDetailsService and I don't really want to add another cache-related namespace construct. Caching may also be required in other situations where a UserDetailsService is used (not just with DAO authentication), so associating one with an authentication-provider is not sufficient. Personally I would favour making the configuration explicit as it is clearer how the cache is being used and there is too much going on behind the scenes with the current namespace approach and it doesn't provide much benefit.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            shydow lee
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: