Spring Security有两个身份验证层

Question

在我们的应用程序中，我们需要有两层身份验证，数据库和LDAP，即

用户使用用户名和密码登录后，数据库验证仅用于检查数据库中是否存在使用自定义身份验证权限的用户名。

如果数据库中存在用户名，则必须调用第二层LDAP以检查密码是否匹配。如果密码与LDAP中的密码匹配，则应对用户进行身份验证。如果数据库中不存在用户名，则为LDAP层不应该调用，不应该对用户进行身份验证。

我已经实现了第一层身份验证，即用户名的数据库验证。     但是，我无法弄清楚如何使用第二层，即LDAP进行密码检查。     如果有人帮助我，那就太好了。

以下是security xml文件中的代码：

    <security:http auto-config="false" use-expressions="true"

              entry-point-ref="loginUrlAuthenticationEntryPoint">

              <security:custom-filter ref="customAuthenticationFilter"

                     position="FORM_LOGIN_FILTER" />

              <security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER" />

              <security:access-denied-handler

                     error-page="/accessDenied" />

              <security:logout delete-cookies="JSESSIONID" logout-success-url="/logout" />

              <security:session-management session-authentication-strategy-ref="sas" />



           <security:headers >

               <security:cache-control />

               <security:hsts/>

           </security:headers>

       </security:http>

       <security:global-method-security

              pre-post-annotations="enabled" />

       <security:authentication-manager alias="authenticationManager">

              <security:authentication-provider

                     ref="customAuthenticationProvider" />

       </security:authentication-manager>

       <bean id="loginUrlAuthenticationEntryPoint"

              class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">

              <property name="loginFormUrl" value="/">

              </property>

       </bean>



       <bean id="customAuthenticationFilter"

              class="com.honeywell.wfm.util.CustomAuthenticationFilter">

              <property name="usernameParameter" value="username"></property>

              <property name="passwordParameter" value="password"></property>

              <property name="authenticationManager" ref="authenticationManager"/>

              <property name="authenticationFailureHandler" ref="failureHandler"/>

              <property name="authenticationSuccessHandler" ref="successHandler"/>

              <property name="sessionAuthenticationStrategy" ref="sas" />

       </bean>





       <bean id="successHandler"

              class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">

              <property name="defaultTargetUrl" value="/dashboard"/>

       </bean>

       <bean id="failureHandler"

              class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">

              <property name="defaultFailureUrl" value="/failTologin"/>

       </bean>



       <bean id="concurrencyFilter"

        class="org.springframework.security.web.session.ConcurrentSessionFilter">

        <property name="sessionRegistry" ref="sessionRegistry" />

        <property name="expiredUrl" value="/logout" />

    </bean>


    <bean id="sas"

        class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">

        <constructor-arg>

            <list>

                <bean

                    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">

                    <constructor-arg ref="sessionRegistry" />

                    <property name="maximumSessions" value="1" />

                    <property name="exceptionIfMaximumExceeded" value="false" />

                </bean>

                <bean

                    class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">

                </bean>

                <bean

                    class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">

                    <constructor-arg ref="sessionRegistry" />

                </bean>

            </list>

        </constructor-arg>

    </bean>


    <bean id="sessionRegistry"

        class="org.springframework.security.core.session.SessionRegistryImpl" />





       <bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">

              <property name="rolePrefix" value="" />

       </bean>

       <bean id="customAuthenticationProvider"

              class="com.honeywell.wfm.service.impl.CustomAuthenticationProvider"></bean>







CustomAuthenticationProvider.java

public Authentication authenticate(Authentication authentication) throws AuthenticationException {



              String employeeNumber = authentication.getName();

              String password = (String) authentication.getCredentials();

              UserDTO userDTO = loginComponent.loadUserByUsername(employeeNumber);

              if (userDTO.getEmployeeNo() == null) {

                     logger.error("Authentication failure for "+employeeNumber);

                     throw new BadCredentialsException("Invalid Employee Number");

              }

              logger.info("Successfully Authenticated " +userDTO.getUserName());

              userDTO.setPassword(password);

              return new UsernamePasswordAuthenticationToken(userDTO, password, userDTO.getAuthorities());

}