Implementation Guide for Oracle Billing Insight > Customizing User Management >

Customizing User Authentication and Authorization With Spring Security

Oracle Billing Insight uses the Spring Security framework for authentication and user access control. You can customize the Spring Security configuration for your implementation. Spring Security settings are maintained in the spring-security.xml file.

The following code defines the UsernamePasswordAuthenticationFilter filter that handles form authentication in the spring-security.xml file:

<security:http access-decision-manager-ref="accessDecisionManager">
<security:logout logout-success-url="/nonAuth/logout.action"/> <security:access-
denied-handler error-page="/accessDenied.action"/> <security:form-login login-
page="/nonAuth/login.action" default-target-url="/reporting/reportStart.action"
authentication-failure-url="/nonAuth/login.action?login_error=1"/>
</security:http>

Spring Security maintains a filter chain internally where each filter has a particular responsibility and filters can be added or removed from the configuration depending on which services are required. The ordering of the filters is important as there are dependencies between them. If you are using namespace configuration, then the filters are configured automatically.

The form-login element invokes the UsernamePasswordAuthenticationFilter. Spring Security adds the filter in the filter chain automatically, and adds an LoginUrlAuthenticationEntryPoint to the application context to provide authentication on demand.

DaoAuthenticationProvider from Spring Security is implemented for authentication. DaoAuthenticationProvider leverages a UserDetailsService in order to lookup the username, password and GrantedAuthority. IBillingUserDetailsService extends UserDetailsService and the implementation class implements loadUserByUsername(String userId) method to provide the authentication mechanism. This method returns the IBillingUserDetails object.