add cache-ref to authenticaiton-provider, add allow-empty-authorities to java-user-service

[xuhuisheng]

• add cache-ref to <authentication-provider>

At this time, we could use the cache-ref attribute in user-detail-service. It seems to create a new instance of CacheUserDetailsService to cache the UserDetails, but if you only set userCache of JdbcDaoImpl, it will cause an Exception. Because JdbcDaoImpl will evict the password, so if the same user do logout, and try to login again, it will said that the credencial is not correct, then the user cannot login the system since the cache expired.

So the cache-ref of user-detail-service is confused, although it will be set to DaoAuthenticaitonProvider, but create a CacheuserDetailService is such a waste. So I wish there would be a cache-ref for authentication-provider to do same thing, and more meaningful.

• add allow-empty-authorities to <jdbc-user-service>

If the login user has no authorities, there will always throw an UserNotFoundException, I wish there could be an attribute to control whether we should throw an exception. so add allow-empty-authorities to do such thing.

Please review it. Thank you very much.

[xuhuisheng]

related JIRA issue is SEC-1962.
I have signed and agree to the terms of the SpringSource Individual Contributor License Agreement.

[rwinch]

Closing per comments on the JIRA at https://jira.springsource.org/browse/SEC-1962

[xuhuisheng]

Hi Rob, Thank you for you advices for contribution.

Although I can use your suggestion to avoid empty authorities check, it will cause user has meaningless authority. I have to check twice in my code, to decide which user have authorities and which user has no authorities then should be set a special authority, e.g. 'ROLE_NOTHING', that is not pretty.
So if you don't mind, I will create another issue for allow-empty-authorities and do another pull request.

Waiting for you reply.