Hi,
What if I want to use another way of authentification, say a login form with 3 fields. Will this be supported in a future version.

Best regards!

You can do anything you like. It's all interface driven. I know some Acegi Security users are using a 3-field login (username, password, ZIP code) successfully simply by providing a custom AuthenticationProcessingFilter and a subclassed DaoAuthenticationProvider and AuthenticationDao.

We are doing this. Since our application can be accessed by different "customers" and we want each customer to have their own "user space", we have userspace id, user name, and password fields. Of course, the end user doesn't ever see the userspace id field as it is automatically handled by the client software.

- Andy

We too have a "userspace" situation as each subscriber (customer) has separate users. I have previously recommended (and we use) a delimeter in the username to handle this situation, with the AuthenticationDao being the only class actually aware the delimiter has special meaning. This maximises compatibility with other authentication systems which only understand the two properties, username and password (eg BASIC authentication, CAS authentication).

Ben, can you point me to a sample app where there are 2 or 3 items to authenticate with? Thanks.

Check out the "How to" section in the FAQ:

http://static.springframework.org/spring-security/site/faq.html

You'll also find this many other discussions on this topic if you search the forum.

so which method(s) do we extend for tweaking authentication?

which method(s) in AuthenticationProcessingFilter, UserDetailsService?

is it possible to just tweak the user authentication and still use the existing authorization?

for example, we have
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="{select query for authentication}"
authorities-by-username-query="{select query for authorization}"
/>
</authentication-provider>

and while our "authorities-by-username-query" works fine, we need to take some special authentication steps that can't really be taken care of in just one query.

What steps do we need to take in this case?

Is there not a sample app that describes this scenario? I just want to accept username/password/company for my login and see little help and many questions.

Luke had linked to the FAQ at http://static.springframework.org/spring-security/site/faq.html#extra-login-fields This was also after several people had mentioned how to do it. Lots of people have made this work by trying it. I would suggest you give it a shot and see if you can too.

The paragraph that was pointed to was not specific enough to help solve my problem. I'm sure since many people have been successful with this that an example is available. No need to reinvent the wheel, right?

Yeah the first sentence of the answer of "I need to login in with more information than just the username. How do I add support for extra login fields (e.g. a company name)?" is :
This question comes up repeatedly in the Spring Security forum so you will find more information there.

And when you ask here, the answer is :"yeah, you can do it" and that's it...

The intention is that you should search the archive for an answer, since the question has been answered before, not that you should ask it again. People have answered this question before so you are wrong to say that the answer is just "yeah, you can do it". For example, a few seconds with google comes up with

http://forum.springframework.org/archive/index.php/t-33019.html

So if someone asks exactly the same question, without qualifying it in some way, the implication is that they haven't bothered to do any research. Searching the archives is the first thing you should do before asking a question and is just plain good manners - otherwise you are making demands on other people's time unnecessarily and reducing the percentage of useful/interesting traffic in the forum (which makes it less likely that people capable of providing answers will read it to start with). If you have read the previous threads on the topic and don't understand something then you should phrase your question accordingly and explain in detail what you have done and what you don't understand.

http://www.catb.org/~esr/faqs/smart-questions.html