How to implement a Spring Security Single SignOn with Authentication Provider and Custom Granted Authority?

Dec 22, 2011 at 3:43 PM

My app needs a single sign-on to windows NTLM (active directory). Using the waffle example 'Spring Security Single-Singon Filter' I integrated
the code in my spring app and it worked. Now, the ROLES should be loaded from a local db into GrantedAuthority as I disregard any role information retrieved from ActiveDirectory. I see that this can be done via waffle.spring.WindowsAuthenticationProvider but the example provided ("Spring Security Authentication Provider") uses a form and not single-sign on approach.

How do I combine both the approaches: single sign-on (no login form) and use a custom GrantedAuthority Populator. In Spring Security, you can do
this via a custom UserDetailService that gets added like this <sec:authentication-provider user-service-ref="customDetailsServiceImpl"/>


Dec 22, 2011 at 10:41 PM

I was able to hack a working solution where I extended NegotiateSecurityFilter and wrote my own Authentication object which embeds a Spring UserDetails object and loads Roles from db. So far, looks good and I'd be happy to provide a detailed solution should anyone need one.

For future releases, it might be a good idea to have an injectable (set/get) Authentication Object in NegotiateSecurityFilter since the current object (WindowsAuthenticationToken) has limitations on how Group/Role info is loaded and hence not open to extension. The same applies to the custom logic within NegotiateSecurityFilter.doFilter() => a template method would work good for extension.

Dec 23, 2011 at 8:58 PM

I'll gladly take a patch for something that adds an authentication object. And maybe you want to post somewhere the details of what you did?

Feb 29, 2012 at 8:14 AM

Please share your details if you can.  I'm facing the same issue where I need to authenticate with waffle and get role authorization from a database.  This would help me a lot!  thanks

Mar 12, 2012 at 8:26 PM

I wrote a blog based on my findings and implementation. Hope this helps.

Mar 13, 2012 at 7:18 PM

Thanks for the writeup. Maybe you can think of a way of extending waffle to provide a customization point so that you don't have to modify waffle's source? Would love a contrib.