I'm using spring security (2.0.6) to perform HTTP BASIC authentication. I've written a custom authentication provider class which I use to validate usernames and passwords against my database. The problem I'm having is that some users do not have passwords. These users receive an "Access Denied" message. I debugged the code and found that my custom authentication provider isn't invoked when the user's password is blank. Does anyone know how to get around this? I need to allow some users to have blank passwords.
Rather then no password have you tried setting the password in a filter before the AuthenticationProvider to some default like "NOPASSWORD"? I think one of the pre-auth filters does a simple 'if (password == null)' and fails and that's your issue.