You can specify as many providers as you want. They will be checked in the same order you declared them inside the authentication-manager tag.

Once a successful authentication is made, it will stop polling the providers. If any provider throws an `AccountStatusException` it will also break the polling.

When I try to inject the @request into any of my services, I get this exception:

&gt; ScopeWideningInjectionException: Scope Widening Injection detected:
&gt; The definition &quot;service.navigation&quot; references the service &quot;request&quot;
&gt; which belongs to a narrower scope. Generally, it is safer to either
&gt; move &quot;service.navigation&quot; to scope &quot;request&quot; or alternatively rely on
&gt; the provider pattern by injecting the container itself, and requesting
&gt; the service &quot;request&quot; each time it is needed. In rare, special cases
&gt; however that might not be necessary, then you can set the reference to
&gt; strict=false to get rid of this error.

What is the best way to proceed? Should I try to set this `strict=false` and how, or should I NOT inject the request service, but rather pass it to the service through my controller each time I call functions I need?

Other possibility would be to inject the kernel and take it from there, but in my service I  am using only @router and @request, so injecting the whole kernel would be irrational.

How to inject the @request into a service?

I&#39;ve run into problems installing the latest Subclipse plug in. I saw this post: https://stackoverflow.com/questions/5620681/subclipse-unable-to-load-default-svn-client, but the answer appears to be specific for Subclipse 1.6.x, and I think 1.8.x is presenting new issues. I&#39;m on a mac, 10.6.8, with Eclipse Indigo. I have Subclipse 1.8.4 installed, with the Subversion JavaHL Native Library Adapter 1.7.3 installed, which is the correct version of JavaHL for Subclipse 1.8, according to http://subclipse.tigris.org/wiki/JavaHL#head-5ccce53a67ca6c3965de863ae91e2642eab537de

When I tried to add a new SVN repository, it says &quot;operation in progress&quot;, then gives me this error:

    Failed to load JavaHL Library.
    These are the errors that were encountered:
    no libsvnjavahl-1 in java.library.path
    no svnjavahl-1 in java.library.path
    no svnjavahl in java.library.path
    java.library.path = .:/Library/Java/Extensions:/System/Library/Java/Extensions:/usr/lib/java

I also tried uninstalling all the subclipse plugins, and instead installing the openCollabNet subversion package, as recommended here: http://subclipse.tigris.org/wiki/JavaHL#head-5bf26515097c3231c1b04dfdb22c036bc511926b

But when I tried to add a new SVN repository, I received the error: &quot;Unable to load defaul SVN client&quot;

Any ideas what I&#39;m doing wrong?

Thanks

Subclipse and JavaHL installation headache

I have configured two authentication providers in my Spring Security config:

       &lt;security:authentication-manager&gt;
          &lt;security:authentication-provider ref=&quot;XProvider&quot; /&gt;
          &lt;security:authentication-provider ref=&quot;YProvider&quot; /&gt;
       &lt;/security:authentication-manager&gt;

Does spring security evaluate both providers? Or does it stop to evaluate if one of them fails? If not, How to make it stop?

Thanks.

Multiple Authentication Providers in Spring Security

I have configured two authentication providers in my Spring Security config:
<pre><code class="hljs language-ini"> &#x3C;security:authentication-manager>
 &#x3C;security:authentication-provider ref="XProvider" />
 &#x3C;security:authentication-provider ref="YProvider" />
 &#x3C;/security:authentication-manager>
</code></pre>
Does spring security evaluate both providers? Or does it stop to evaluate if one of them fails? If not, How to make it stop?
Thanks.

I have the following bean defined:

	&lt;sec:authentication-manager alias=&quot;authenticationManager&quot;&gt;
		&lt;sec:authentication-provider
			user-service-ref=&quot;userDetailsService&quot; /&gt;
	&lt;/sec:authentication-manager&gt;
	
I guess here Spring uses some default implementation of `AuthenticationManager`.

In my Java code I have:

	@Resource(name = &quot;authenticationManager&quot;)
	private AuthenticationManager authenticationManager; // specific for Spring Security

	public boolean login(String username, String password) {
		try {
			Authentication authenticate = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
			if (authenticate.isAuthenticated()) {
				SecurityContextHolder.getContext().setAuthentication(authenticate);				
				return true;
			}
		}
		catch (AuthenticationException e) {			
		}
		return false;
	}
	
Here `AuthenticationManager.authenticate(...)` is called. But I would like to know which implementation of `AuthenticationManager` Spring uses by default, and what its `authenticate(...)` does in order to authenticate (i.e., make sure that username matches password).
	
Could you explain this?

What is the default AuthenticationManager in Spring-Security? How does it authenticate?

I&#39;m doing an application with authentication by OpenID using Spring Security.
When user is logged-in, some authorities are loaded in his session.

I have User with full right which can modify authorities (revoke, add roles) of others users. My question is, how to change User session authorities dynamically ? (cannot use *SecurityContextHolder* because I want to change another User session).

Simple way : invalidate user session, but how to ?
Better way : refresh user session with new authorities, but how to ?

How to reload authorities on user update with Spring Security

I have a Spring web app, secured with Spring Security, running on EC2. In front of the EC2 instance is an Elastic Load Balancer with an SSL cert (https terminates at the load balancer ie. port 443 -&gt; port 80), so from Tomcat&#39;s perspective, inbound requests are HTTP.

My login form submits to https, however the subsequent redirect goes to http (success or fail). The authentication was successful, and I can go back to https and I&#39;m logged in.

My login configuration looks like so:

    &lt;security:form-login
        default-target-url=&quot;/home&quot;
        login-page=&quot;/&quot;
        login-processing-url=&quot;/processlogin&quot;
        authentication-failure-url=&quot;/?login_error=1&quot;/&gt;

What do I need to change to make default-target-url and authentication-failure-url go to https?

 - Tomcat 6
 - Spring Security 3.0.x

HTTPS login with Spring Security redirects to HTTP

**Problem:**  
We have a Spring MVC-based RESTful API which contains sensitive information. The API should be secured, however sending the user&#39;s credentials (user/pass combo) with each request is not desirable. Per REST guidelines (and internal business requirements), the server must remain stateless. The API will be consumed by another server in a mashup-style approach.

**Requirements:**

 - Client makes a request to `.../authenticate` (unprotected URL) with credentials; server returns a secure token which contains enough information for the server to validate future requests and remain stateless. This would likely consist of the same information as Spring Security&#39;s [Remember-Me Token][1].

 - Client makes subsequent requests to various (protected) URLs, appending the previously obtained token as a query parameter (or, less desirably, an HTTP request header).

 - Client cannot be expected to store cookies.

 - Since we use Spring already, the solution should make use of Spring Security.

We&#39;ve been banging our heads against the wall trying to make this work, so hopefully someone out there has already solved this problem. 

Given the above scenario, how might you solve this particular need?

  [1]: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/remember-me.html

RESTful Authentication via Spring

I&#39;m using spring security in my web application, and now I want to have a list of all users who are logged in my program.

How can I have access to that list? Aren&#39;t they already kept somewhere within spring framework? Like ***SecurityContextHolder*** or ***SecurityContextRepository***?

Content Type	Original Author	Original Content on Stackoverflow
Question	ankurvsoni	View Question on Stackoverflow
Solution 1 - Spring Security	José Lecaros	View Answer on Stackoverflow

Multiple Authentication Providers in Spring Security

Spring Security Problem Overview

Spring Security Solutions

Solution 1 - Spring Security

Subclipse and JavaHL installation headache

How to inject the @request into a service?

Attributions