Spring 安全 - 首先验证数据库中的用户，然后再针对 AD 进行身份验证

Question

We have a requirement to verify whether a username exists in database and then authenticate against AD. If username doesn't exist application will return error instead of trying to authenticate against AD. I have authenticated against multiple AD's and/or database but I have trouble getting this to work. Any hints would be helpful. Thank you

In my class that extends WebSecurityConfigurerAdapter I tried to play with authenticationProvider where I could verify the existence in DB. But not sure of what to return so that the authentication could be proceed to LDAP.

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
     .authenticationProvider(authenticationProvider)
    .authenticationEventPublisher(authenticationEventPublisher)
    .ldapAuthentication()
    .....;

}

I also tried adding a before/after filter but not successful in there either

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
   ....
 .and()
 .addFilterBefore(preAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
;

Answer 1

@gandr solution got me thinking, and my final solution was:

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
  .authenticationProvider(PreLdapAuthenticationProvider)
   // authenticationEventPublisher not used anymore
  .ldapAuthentication()
  .....;

private static class PreLdapAuthenticationProvider implements AuthenticationProvider {
  @Override
  public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    this.userService.checkUserEnabled((String) authentication.getPrincipal());
    return null;
  }
}

public class UserService {
  public void checkUserEnabled(String username) throws AuthenticationException {
    UserEntity entity = userRepository.findByLogin(username);
    if (entity == null) {
      throw new PreLdapUsernameNotFoundException();
      // normal UsernameNotFoundException extends AuthenticationException
      // and will be caught and ignore, but not if my custom class
      // extends AccountStatusException
    }
    if (!entity.isEnabled()) {
      throw new DisabledException("DisabledException");
    }
  }
}

public class PreLdapUsernameNotFoundException extends AccountStatusException {
  public PreLdapUsernameNotFoundException() {
    super("PreLdapUsernameNotFoundException");
  }
}

Then you can catch PreLdapUsernameNotFoundException and InternalAuthenticationServiceException in

private AuthenticationFailureHandler authenticationFailureHandler() {
  return (request, response, authenticationException) -> {
    if (authenticationException instanceof PreLdapUsernameNotFoundException){
      ...
    } else ...
  }
}

Answer 2

In the filter preAuthenticationFilter the instance of request passed in doFilter() method FirewalledRequest. From this instance I am unable to get the username; looks like this is by design. If anyone has any advice on how we could retrieve username from the instance of FirewalledRequest please share it here. I will give it a try.

So instead of using the filter I decided to play with the custom AuthenticationProvider. In the AuthenticationProvider implementation under the method authenticate() I return null (and log, notify, etc.) when user exist. If user doesn't exits I return the same instance of authentication passed. This breaks the chain and stops proceeding to authenticating against AD. Throwing any instance of AuthenticationException doesn't work as Spring security captures this exception and proceeds further (per docs).

Here is how the code snippet looks like

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException
{
    Optional<User> user = service.findUserByUsername((String) authentication.getPrincipal());

    if (user.isPresent())
        return null;

    return authentication;
}

Please share any better ideas.