Spring Security - two separate sources for authentication information

My Spring Security form-based login currently contains a form and the default LdapAuthenticationProvider and I am able to authenticate properly. But there's a new requirement to check that user is enabled. This information is in database instead of LDAP. So how do I do this?

Should I be looking at using the AbstractAuthenticationProcessingFilter and performing the extra check in 开发者_开发技巧the successfulAuthentication method

Or is there a better way to do this.

I'd say that extending the UsernamePasswordAuthenticationFilter and overriding attemptAuthentication() is a good way. In attemptAuthentication() you can check both DB data and LDAP data. You can load user info using the UserDetailsService like this.

Another way is (as you suggested yourself) extending the AbstractAuthenticationProcessingFilter and running your filter after the FORM_LOGIN filter like this:

<http ...>
    ...
    <custom-filter after="FORM_LOGIN_FILTER" ref="myAuthenticationProcessingFilter" />
</http>

A good idea probably is to make 2 separate filters for LDAP and DB authentication and running one after the other. This way you can turn any of them off if you need to.

This part of the spring docs will help you on custom filters.