In today's security condition, the requirements for protecting user data and system resources are increasingly high. Organizations not only face growing threats but must also comply with strict security standards. One powerful solution is combining multiple authentication methods in a single authentication system. This article discusses a system that combines LDAP and Username/Password. This is a system that leverages the advantages of both methods, aiming to achieve a balance between security, convenience, and scalability. 

First, LDAP (Lightweight Directory Access Protocol) is a protocol used to access and maintain directory services, typically used to store user information, user groups, and other resources in a network system. LDAP allows easy data retrieval, especially in environments with a large number of users. 

LDAP can be deployed using LdapAuthenticationProvider configured to authenticate through LDAP, using DefaultSpringSecurityContextSource to connect to the LDAP server and verify user information. 

@Bean  

public LdapAuthenticationProvider ldapAuthenticationProvider() {  

LdapAuthenticationProvider provider = new 

LdapAuthenticationProvider(); 

provider.setContextSource(ldapContextSource()); provider.setUserDnPatterns("uid={0},ou=users"); 

return provider;  

} 

Alongside LDAP, the more familiar Username/Password method is discussed, which is a basic authentication method where users need to provide a username and password to access the system. This is the most common, simple, and easy-to-implement authentication method. For Username/Password, DaoAuthenticationProvider is used to authenticate through the database, using UserDetailsService and PasswordEncoder to check login credentials. 

@Bean  

public DaoAuthenticationProvider daoAuthenticationProvider() { 

DaoAuthenticationProvider provider = new  

DaoAuthenticationProvider();  

provider.setUserDetailsService(userDetailsService); 

provider.setPasswordEncoder(passwordEncoder());  

return provider;  

} 

The concept of combining LDAP and Username/Password is presented through a layered system where when users enter login information (username and password), the system will first authenticate through username and password, then continue to authenticate through LDAP. If at least one type is valid, access will be granted, and vice versa. To implement this system, daoAuthenticationProvider() and ldapAuthenticationProvider() need to be added to the http.authenticationProvider() chain, which allows Spring Security to know that the system is using both authentication methods (from the database and from LDAP). 
            @Bean  

public SecurityFilterChain securityFilterChain(HttpSecurity http) 

throws Exception {  

http.csrf(AbstractHttpConfigurer::disable) 

// Add DAO provider 

http.authenticationProvider(authenticationProvider());  

// Add LDAP Provider 

http.authenticationProvider(ldapAuthenticationProvider());  

return http.build();  

} 

In other systems that require more precision and specialization, the two authentication types can be separated (using only one of the two). In some cases, the system provides both authentication methods, and each account will be applied to one of these methods. At this point, a CustomAuthenticationProvider can be added: a mechanism that classifies accounts and decides whether to use LDAP or Database for authentication. 

@Bean  

public AuthenticationProvider customAuthenticationProvider() {  

return new AuthenticationProvider() { 

@Override  

public Authentication authenticate(Authentication 

authentication) { 

String username = authentication.getName();  

if (isLdapUser(username)) {  

return ldapAuthenticationProvider() 

.authenticate(authentication);  

} else {  

return daoAuthenticationProvider() 

.authenticate(authentication);  

}  

}  

@Override  

public boolean supports(Class<?> authentication) {  

return authentication.equals( 

UsernamePasswordAuthenticationToken.class);  

}  

private boolean isLdapUser(String username) {  

}  

};  

} 
Through this article, it can be seen that combining multiple authentication methods is a powerful solution to protect systems from cybersecurity threats. This method not only enhances security levels but also helps manage user information effectively and centrally. However, organizations need to carefully consider the implementation and maintenance of the system to optimize the benefits it provides. 

Thanh Vu