Authenticating By IP Address In Spring 3.1: Smartest Way To Do That?

Question

I\'ve implemented LDAP authentication using Spring Security 3.1. My security.xml file for that is posted below.

I need to alter my authentication process such that

Answer 1

Your approach seems pretty sound, you are right in thinking that Spring will try each AuthenticationProvider until it gets a successful result, so in your case you would define your IP based provider before the LDAP provider.

Depending on your setup you may not get a WebAuthenticationDetails object on your authentication.getDetails() call. If this is the case you should add Spring's RequestContextListener or RequestContextFilter to your web.xml. You will then be able to get the source IP address by using the RequestContextHolder class and calling RequestContextHolder.getRequestAttributes().

You should only need to implement an AuthenticationProvider, there is no need to implement a UserDetailsService, UserDetails or Authentication class. You should return null if you are not able to authenticate the user via his IP address. In this case Spring will try the LDAP provider. If for some reason you do not want to pass the attempt onto LDAP you should throw an AuthenticationException which will stop the process and ultimately result in a 403 error for the user.

I hope this helps :)