Stephen Crawley (Migrated from SEC-1485) said:
I don't think there is a way to configure the authentication details source for a form login or openId login.
I currently have two distinct use-cases that require this:
One of my security use-cases requires me to support a number of kinds of login in the same configuration; form login, OpenId login, Shibboleth login, and variations. This results in authentications with a variety of different UserDetails objects, depending on how the user logged in. This is hard for "the application" to deal with.
Another use-case requires me to implement SSO for a number of sites. After figuring out that the HttpSession approach does not work / scale, I have opted for implementing my own SecurityContextRepository using a different cookie. But now I have run into the problem that the form login filter is creating UserDetails objects that contain the JSESSIONID rather than my custom session id.
I have spent hours staring at the code, and I cannot see a way forward. On the one hand, the namespace parser doesn't allow me to supply the "authenticationDetailsSource" for the AuthenticationProcessingFilters. On the other hand, it won't let me supply alternative class names for the filters. On the third hand, if I configure the filters directly and add them to the filter chain using a element, then I cannot make the connections to other filters; e.g. the remember-me service.
Could you please implement one or more of the following improvements:
Luke Taylor said:
Duplicate of SEC-1133.