I have an existing Java/Spring/Hibernate webapp, with a classic database authentication. I just migrated it with success to a Crowd SSO platform. Everything works as expected, but now I would like to configure Spring Security to fallback to my previous authentication system if the Crowd server is down.
I never configured such cascading authentication, and what I read with google didn't help me so far. Do you know how I can achieve that?
Here is my Spring security configuration:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd"
xmlns:util="http://www.springframework.org/schema/util"
default-autowire="byName">
<http entry-point-ref="crowdAuthenticationProcessingFilterEntryPoint">
<intercept-url pattern="/**/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**/logout" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**/login.html" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/admin/**" access="ROLE_ADMINISTRATOR"/>
<intercept-url pattern="/**" access="ROLE_ADMINISTRATOR"/>
<custom-filter position="FORM_LOGIN_FILTER" ref="authenticationProcessingFilter"/>
<custom-filter position="LOGOUT_FILTER" ref="logoutFilter"/>
</http>
<!-- My previous authentication filter -->
<beans:bean id="authenticationFilter"
class="my.package.security.CustomAuthenticationProcessingFilter">
<beans:property name="authenticationManager" ref="formAuthenticationManager"/>
<beans:property name="filterProcessesUrl" value="/login"/>
<beans:property name="continueChainBeforeSuccessfulAuthentication" value="false"/>
<beans:property name="postOnly" value="true"/>
<beans:property name="authenticationSuccessHandler" ref="authenticationHandler"/>
<beans:property name="authenticationFailureHandler" ref="authenticationHandler"/>
</beans:bean>
<beans:bean id="authenticationHandler" class="my.package.security.CustomAuthenticationHandler">
<beans:property name="alwaysUseDefaultTargetUrl" value="false"/>
</beans:bean>
<beans:bean id="customAuthenticationProvider"
class="my.package.security.MyDaoAuthenticationProvider">
<beans:property name="SaltSource">
<beans:bean class="org.springframework.security.authentication.dao.ReflectionSaltSource">
<beans:property name="userPropertyToUse" value="salt"/>
</beans:bean>
</beans:property>
</beans:bean>
<!-- Crowd config -->
<beans:bean id="crowdUserDetailsService" class="my.package.security.CustomCrowdUserDetailsServiceImpl">
<beans:property name="authenticationManager" ref="crowdAuthenticationManager"/>
<beans:property name="groupMembershipManager" ref="crowdGroupMembershipManager"/>
<beans:property name="userManager" ref="crowdUserManager"/>
<beans:property name="authorityPrefix" value=""/>
<beans:property name="userController" ref="userController"/>
</beans:bean>
<beans:bean id="crowdAuthenticationProvider" class="com.atlassian.crowd.integration.springsecurity.RemoteCrowdAuthenticationProvider">
<beans:constructor-arg ref="crowdAuthenticationManager"/>
<beans:constructor-arg ref="httpAuthenticator"/>
<beans:constructor-arg ref="crowdUserDetailsService"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref='crowdAuthenticationProvider' />
</authentication-manager>
<beans:bean id="crowdAuthenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/login.html"/>
</beans:bean>
<beans:bean id="authenticationProcessingFilter" class="com.atlassian.crowd.integration.springsecurity.CrowdSSOAuthenticationProcessingFilter">
<beans:property name="httpAuthenticator" ref="httpAuthenticator"/>
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="filterProcessesUrl" value="/login"/>
<beans:property name="authenticationFailureHandler">
<beans:bean class="com.atlassian.crowd.integration.springsecurity.UsernameStoringAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.html?login_error=1"/>
</beans:bean>
</beans:property>
<beans:property name="authenticationSuccessHandler">
<beans:bean class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/flexibility.html"/>
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="crowdLogoutHandler" class="com.atlassian.crowd.integration.springsecurity.CrowdLogoutHandler">
<beans:property name="httpAuthenticator" ref="httpAuthenticator"/>
</beans:bean>
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/login.html"/>
<beans:constructor-arg>
<beans:list>
<beans:ref bean="crowdLogoutHandler"/>
<beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</beans:list>
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/logout"/>
</beans:bean>
What you need is an authentication manager configured with multiple authentication providers. This gives an example