Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1485: Setting the authenticationDetailsSource from a form-login or open-id-login #1718

spring-projects-issues opened this issue May 23, 2010 · 1 comment


Copy link

@spring-projects-issues spring-projects-issues commented May 23, 2010

Stephen Crawley (Migrated from SEC-1485) said:

I don't think there is a way to configure the authentication details source for a form login or openId login.

I currently have two distinct use-cases that require this:

  • One of my security use-cases requires me to support a number of kinds of login in the same configuration; form login, OpenId login, Shibboleth login, and variations. This results in authentications with a variety of different UserDetails objects, depending on how the user logged in. This is hard for "the application" to deal with.
  • Another use-case requires me to implement SSO for a number of sites. After figuring out that the HttpSession approach does not work / scale, I have opted for implementing my own SecurityContextRepository using a different cookie. But now I have run into the problem that the form login filter is creating UserDetails objects that contain the JSESSIONID rather than my custom session id.

I have spent hours staring at the code, and I cannot see a way forward. On the one hand, the namespace parser doesn't allow me to supply the "authenticationDetailsSource" for the AuthenticationProcessingFilters. On the other hand, it won't let me supply alternative class names for the filters. On the third hand, if I configure the filters directly and add them to the filter chain using a element, then I cannot make the connections to other filters; e.g. the remember-me service.

Could you please implement one or more of the following improvements:

  • a simple way to set the authenticationDataSource; i.e. via the namespace, or
  • a simple way to tell the namespace parser to use alternative classes for these (and other) filters.
Copy link

@spring-projects-issues spring-projects-issues commented May 23, 2010

Luke Taylor said:

Duplicate of SEC-1133.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant