I have spring protection using Kerberos authentication successfully. But it seems like the spring structure calls KerberosServiceAuthenticationProvider.userDetailsService to get the roles, I would think that it gets the roles only once until the session is invalidated. My configuration looks like
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xmlns:beans="http://www.springframework.org/schema/beans" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <http entry-point-ref="spnegoEntryPoint" auto-config="false"> <intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <intercept-url pattern="/j_spring_security_check*" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" /> <custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> <form-login login-page="/login.html" default-target-url="/" always-use-default-target="true"/> </http> <authentication-manager alias="authenticationManager"> <authentication-provider ref="kerberosServiceAuthenticationProvider" /> <authentication-provider ref="kerberosAuthenticationProvider"/> </authentication-manager> <beans:bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" /> <beans:bean id="spnegoAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter"> <beans:property name="failureHandler"> <beans:bean class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler"> <beans:property name="defaultFailureUrl" value="/login.html" /> <beans:property name="allowSessionCreation" value="true"/> </beans:bean> </beans:property> <beans:property name="authenticationManager" ref="authenticationManager" /> </beans:bean> <beans:bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider"> <beans:property name="ticketValidator"> <beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator"> <beans:property name="servicePrincipal" value="HTTP/mywebserver.corpza.corp.co.za"/> <beans:property name="keyTabLocation" value="classpath:mywebserver.keytab" /> <beans:property name="debug" value="true"/> </beans:bean> </beans:property> <beans:property name="userDetailsService" ref="dummyUserDetailsService" /> </beans:bean> <beans:bean id="kerberosAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider"> <beans:property name="kerberosClient"> <beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient"> <beans:property name="debug" value="true" /> </beans:bean> </beans:property> <beans:property name="userDetailsService" ref="dummyUserDetailsService" /> </beans:bean> <beans:bean class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig"> <beans:property name="debug" value="true" /> <beans:property name="krbConfLocation" value="/etc/krb5.conf" /> </beans:bean> <beans:bean id="dummyUserDetailsService" class="main.server.DummyUserDetailsService"/> </beans:beans>
so my DummyUserDetailsService.loadUserByUsername (username Styring) is called every time a secure page is requested, I load user roles from the database and donβt want to run the request every time the request is made, is there any configuration I need to do this to prevent this?
source share