How it works?
- AuthenticationManager(default impl - ProviderManager) is created with list of AuthenticationProviders (one such - AbstractUserDetailsAuthenticationProvider).
- An interceptor url is defined for j_spring_security_check with access true.
- An entry point can be URL (LoginUrlAuthenticationEntryPoint) or HttpResponse (BasicAuthenticationEntryPoint) which determines what needs to be shown to the user before authenticating.
- A login page with form action=”../../j_spring_security_check” and names j_username & j_password is created by Spring (Basic Authentication set) or by user.
- And this login page url can be the entry point, so when anytime authorization expires or required, then it will redirect to that page.
- By default, UsernamePasswordAuthenticationFilter responds to above action URL and it looks for the names mentioned above in the HttpRequest.
- When the login form is submitted with username & password, it gets filtered by UsernamePasswordAuthenticationFilter.
- This filter creates an Authentication (AuthenticationToken-UsernamePasswordAuthenticationToken) and calls the AuthenticationManager for authentication.
- Manager passes token (Authentication) to each of the providers in order declared.
- Each of the provider checks the type of token its looking for and if it matches, then just do the authentication (either uses retireveuser or just use cacheduser).
- If its authenticated successfully it returns a new Authentication object with all the details passed in and its set to the context available in SecurityContextHolder (SecurityContextHolder.getContext().setAuthentication(authResult)).
- On its failure, it just throws an AuthenticationException and that is set in the session attribute (SPRING_SECURITY_LAST_EXCEPTION).
Useful References