Multiple Authentication Provider with Spring Security

Nowadays, websites need to provide multiple login options such as a custom login, LDAP login, by facebook connect or openID. For this purpose, Spring Security allows to set up multiple authentication providers.

The basic setup is easy, just add additional authentication providers:

<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider user-service-ref="userServiceInternal">
    <security:password-encoder hash="md5" />
  </security:authentication-provider>
  <security:authentication-provider user-service-ref="userServiceDb">
    <security:password-encoder hash="plaintext" />
  </security:authentication-provider>
  <security:authentication-provider ref="authenticationProviderFacebook">
  </security:authentication-provider>
</security:authentication-manager>

<security:authentication-manager alias="authenticationManager">

<security:authentication-provider user-service-ref="userServiceInternal">

<security:password-encoder hash="md5" />

</security:authentication-provider>

<security:authentication-provider user-service-ref="userServiceDb">

<security:password-encoder hash="plaintext" />

</security:authentication-provider>

<security:authentication-provider ref="authenticationProviderFacebook">

</security:authentication-provider>

</security:authentication-manager>

With a custom authentication provider such as the facebook authentication provider, it is sometimes required to setup a custom filter. Reason for this is, that the standard user service checks for the request parameters j_username and j_password. With facebook connect, those parameters are not sent, so some other parameters must be checked, such as an URL or similar.

<security:http auto-config="true">
  <security:form-login
    login-page="/login"
    login-processing-url="/loginProcess"
    default-target-url="/inbox"
    authentication-failure-url="/login?login_error=1" />
  <security:logout
    logout-url="/pages/logout"
    logout-success-url="/logoutSuccess" />
  <security:custom-filter
    before="FORM_LOGIN_FILTER"
    ref="facebookAuthenticationFilter" />
</security:http>

<security:http auto-config="true">

<security:form-login

default-target-url="/inbox"

authentication-failure-url="/login?login_error=1" />

<security:logout

logout-url="/pages/logout"

logout-success-url="/logoutSuccess" />

<security:custom-filter

before="FORM_LOGIN_FILTER"

ref="facebookAuthenticationFilter" />

</security:http>

The facebookAuthenticationFilter is a custom class, best to be extending AbstractAuthenticationProcessingFilter with the defaultFilterProcessUrl set to something like /j_spring_facebook_security_check.

Then change the on-login javascript code of the facebook connect button to redirect to the above specified URL:

function facebook_onlogin() {
  document.location.href = "/j_spring_facebook_security_check";
}

function facebook_onlogin() {

document.location.href = "/j_spring_facebook_security_check";

}

Once the users clicks on the facebook connect button, the typical facebook connect user interface pops up. Upon successful login, the page is redirected to the facebook login URL, from there automatically to the standard target page.