Custom Authentication

Remember how the login page leveraged SPRING_SECURITY_LAST_EXCEPTION to

explain why login failed? The message for the AuthenticationException exception
thrown in AuthenticationProvider is the last AuthenticationException and will
be displayed by our login page in the event of a failed login.

Configuring
CalendarUserAuthenticationProvider
Next, update the security.xml file to refer to our newly created
CalendarUserAuthenticationProvider object, and remove the reference to
CalendarUserDetailsService.

src/main/webapp/WEB-INF/spring/security.xml

<authentication-manager>
<authentication-provider
ref="calendarUserAuthenticationProvider"/>
</authentication-manager>

Restart the application and ensure everything is still working. As a user, we

do not notice anything different. However, as a developer, we know that
CalendarUserDetails is no longer required; we are still able to display the
current user's first and last names, and Spring Security is still able to leverage
CalendarUser for authentication.

Your code should now look like chapter03.05-calendar.

Authenticating with different parameters

One of the strengths of AuthenticationProvider is that it can authenticate with
any parameters you wish. For example, maybe your application uses a random
identifier for authentication, or perhaps it is a multi-tenant application and requires
a username, password, and a domain. In the following section, we will update
CalendarUserAuthenticationProvider to support multiple domains.

A domain is a way to scope our users. For example, if we deploy our

application once but have multiple clients using the same deployment,
each client may want a user with the username admin. By adding a
domain to our user object, we can ensure that each user is distinct and
still supports this requirement.

[ 66 ]