Monday, January 21, 2013

Spring Security In Detail

How it works?

  1. AuthenticationManager(default impl - ProviderManager) is created with list of AuthenticationProviders (one such - AbstractUserDetailsAuthenticationProvider).

  1. An interceptor url is defined for j_spring_security_check with access true.

  1. An entry point can be URL (LoginUrlAuthenticationEntryPoint) or HttpResponse (BasicAuthenticationEntryPoint) which determines what needs to be shown to the user before authenticating.

  1. A login page with form action=”../../j_spring_security_check” and names j_username & j_password is created by Spring (Basic Authentication set) or by user. 

  1. And this login page url can be the entry point, so when anytime authorization expires or required, then it will redirect to that page.

  1. By default, UsernamePasswordAuthenticationFilter responds to above action URL and it looks for the names mentioned above in the HttpRequest.

  1. When the login form is submitted with username & password, it gets filtered by UsernamePasswordAuthenticationFilter.

  1. This filter creates an  Authentication (AuthenticationToken-UsernamePasswordAuthenticationToken) and calls the AuthenticationManager for authentication.

  1. Manager passes token (Authentication) to each of the providers in order declared.

  1. Each of the provider checks the type of token its looking for and if it matches, then just do the authentication (either uses retireveuser or just use cacheduser).

  1. If its authenticated successfully it returns a new Authentication object with all the details passed in and its set to the context available in SecurityContextHolder (SecurityContextHolder.getContext().setAuthentication(authResult)).

  1. On its failure, it just throws an AuthenticationException and that is set in the session attribute (SPRING_SECURITY_LAST_EXCEPTION).

Useful References

No comments: