You can use RequestContextHolder , and it really contains the same request, although Spring Security usually terminates the incoming request, so you can get a different link depending on whether you place the RequestContextFilter before or after Spring Security Chain (note that you can easily check this yourself by comparing the value returned from RequestContextHolder with the request in the application controller).
It is also relatively easy to introduce custom AuthenticationDetails , as you mentioned:
package com.mycompany; public class MyWebAuthenticationDetailsSource implements AuthenticationDetailsSource { public Object buildDetails(Object context) { return ((HttpServletRequest)context).getParameter("ip"); } }
Then use
<bean id="ads" class="com.mycompany.MyWebAuthenticationDetailsSource /> <bean id="formLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> <property name="authenticationDetailsSource" ref="ads" /> <property name="authenticationManager" ref="authenticationmanager" /> </bean>
and add it as a custom filter, as described in the reference guide. In 3.1, the namespace supports this directly in the form-login element . Authentication.getDetails() will then return the value of your ip parameter.
Please note that you probably should not use 3.0.4, as it has detected security vulnerabilities.
Also can you explain how the "ip" parameter is set?