SEC-1602: authentication-provider should have child usercache #1841

Closed
spring-issuemaster opened this Issue Oct 25, 2010 · 3 comments

1 participant

@spring-issuemaster

shydow lee (Migrated from SEC-1602) said:

now,my configuration file like this:

<authentication-manager>
    <authentication-provider ref="daoAuthenticationProvider">
        <password-encoder hash="sha" base64="true">
            <salt-source user-property="username" />
        </password-encoder>
                    <usercache ref="userEHCache"/>
    </authentication-provider>
</authentication-manager>

<beans:bean id="daoAuthenticationProvider"
    class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <beans:property name="userDetailsService" ref="userDetailsService" />
    <beans:property name="userCache">
        <beans:bean
            class="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache">
            <beans:property name="cache" ref="userEHCache" />
        </beans:bean>
    </beans:property>
</beans:bean>

<beans:bean id="userEHCache"
    class="org.springframework.cache.ehcache.EhCacheFactoryBean">
    <beans:property name="cacheManager" ref="cacheManager"></beans:property>
    <beans:property name="cacheName" value="userCache"></beans:property>
</beans:bean>

<beans:bean id="cacheManager"
    class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
    <beans:property name="configLocation" value="classpath:ehcache_user.xml"></beans:property>
</beans:bean>

why do not provide a usercache config in node ,the simple file maybe like this:

<authentication-manager>
    <authentication-provider ref="daoAuthenticationProvider">
        <password-encoder hash="sha" base64="true">
            <salt-source user-property="username" />
        </password-encoder>
                    <usercache ref="userEHCache"/>
    </authentication-provider>
</authentication-manager>

<beans:bean id="userEHCache"
    class="org.springframework.cache.ehcache.EhCacheFactoryBean">
    <beans:property name="cacheManager" ref="cacheManager"></beans:property>
    <beans:property name="cacheName" value="userCache"></beans:property>
</beans:bean>

<beans:bean id="cacheManager"
    class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
    <beans:property name="configLocation" value="classpath:ehcache_user.xml"></beans:property>
</beans:bean>
@spring-issuemaster

Luke Taylor said:

Both the configurations you've posted appear to be the same...

It isn't possible to guarantee that the referenced AuthenticationProvider is compatible with a cache (it might use LDAP, for example) so providing caching at the AuthenticationProvider level isn't practical. There is already a cache-ref element available on for use with user-service elements, but I would generally recommend you configure the beans explicitly as it is clearer what is going on.

@spring-issuemaster

shydow lee said:

sorry about my post,i repeat my option again.

now my configuration is :

<authentication-manager>
    <authentication-provider ref="daoAuthenticationProvider"></authentication-provider>
</authentication-manager>

<beans:bean id="daoAuthenticationProvider"
    class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <beans:property name="userDetailsService" ref="gacUserDetailsService" />
    <beans:property name="userCache" ref="userCache"></beans:property>
    <beans:property name="passwordEncoder" ref="passwordEncoder"></beans:property>
    <beans:property name="saltSource" ref="saltSource"></beans:property>
</beans:bean>

<beans:bean id="userCache" class="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache">
    <beans:property name="cache" ref="userEHCache" />
</beans:bean>

<beans:bean id="userEHCache"
    class="org.springframework.cache.ehcache.EhCacheFactoryBean">
    <beans:property name="cacheManager" ref="cacheManager"></beans:property>
    <beans:property name="cacheName" value="userCache"></beans:property>
</beans:bean>

<beans:bean id="cacheManager"
    class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
    <beans:property name="configLocation" value="classpath:ehcache_user.xml"></beans:property>
</beans:bean>

<beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
    <beans:constructor-arg value="256"></beans:constructor-arg>
</beans:bean>

<beans:bean id="saltSource" class="org.springframework.security.authentication.dao.SystemWideSaltSource">
    <beans:property name="systemWideSalt" value="gac"></beans:property>
</beans:bean>

i think if you config like this :




you means use UserDetailsService interface,in java doc there is a discription like this:

   Core interface which loads user-specific data. 

    It is used throughout the framework as a user DAO and is the strategy used by the DaoAuthenticationProvider. 

    The interface requires only one read-only method, which simplifies support for new data-access strategies.

so ,i think when you use authentication-provider and user-service-ref,it maybe better add child user-cache to authentication-provider node. the configuration will like this:

<authentication-manager>
    <authentication-provider user-service-ref="gacUserDetailsService">
        <password-encoder hash="sha">
            <salt-source system-wide="gac"/>
        </password-encoder>
        <user-cache ref="userCache"></user-cache>
    </authentication-provider>
</authentication-manager>
<beans:bean id="userCache" class="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache">
    <beans:property name="cache" ref="userEHCache" />
</beans:bean>

<beans:bean id="userEHCache"
    class="org.springframework.cache.ehcache.EhCacheFactoryBean">
    <beans:property name="cacheManager" ref="cacheManager"></beans:property>
    <beans:property name="cacheName" value="userCache"></beans:property>
</beans:bean>

<beans:bean id="cacheManager"
    class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
    <beans:property name="configLocation" value="classpath:ehcache_user.xml"></beans:property>
</beans:bean>

if you want to use ldap,UserDetailsService is not for you,so i think it could be work.

@spring-issuemaster

Luke Taylor said:

As I said, there is already a cache-ref attribute available which allows you to associate a cache with a UserDetailsService and I don't really want to add another cache-related namespace construct. Caching may also be required in other situations where a UserDetailsService is used (not just with DAO authentication), so associating one with an authentication-provider is not sufficient.

Personally I would favour making the configuration explicit as it is clearer how the cache is being used and there is too much going on behind the scenes with the current namespace approach and it doesn't provide much benefit.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment