It is a memorandum because I investigated around the authentication of Spring Security.
SecurityFilterChain is applied to the request. By default, UsernamePasswordAuthenticationFilter is responsible for authentication (applies to specified paths, eg / login). AuthenticationManager is called from Filter and decides whether or not to authenticate. AuthenticationManager has multiple AuthenticationProviders and delegates authentication approval / disapproval processing to each Provider.
AuthenticationFilter It is applied to the URL that performs the authentication process. Performs null check of user input, issues UsernamePasswordAuthenticationToken based on the input information, and delegates authentication permission to Manager.
UsernamePasswordAuthenticationToken It is a data object that has an input value that inherits AbstractAuthenticationToken and a field parameter used for authentication judgment. Each Provider receives this object and determines whether it can be authenticated from the field parameters.
AuthenticationManager The interface org.springframework.security.authentication.AuthenticationManager. Only one method is defined for this interface.
AuthenticationManager.java
Authentication authenticate(Authentication authentication)
throws AuthenticationException;
The default implementation class is org.springframework.security.authentication.ProviderManager.
ProviderManager has an array of AuthenticationProviders that actually perform judgments such as password matching, and calls the authenticate method of each Provider to perform authentication judgments.
AuthenticationProvider This class actually makes an authentication judgment (eg password match, etc.). As mentioned above, multiple Providers can be registered.
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider());
auth.authenticationProvider(authProvider2());
}
public AuthenticationProvider authProvider() {
return new AbstractUserDetailsAuthenticationProvider() {
@Override
protected void additionalAuthenticationChecks(UserDetails userDetails,
UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
//
}
@Override
protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException {
//The process of creating a specific user you want to use to log in
return user;
}
};
}
It may not be used very often, but if you make the Provider return a user who inherits UserDetails, It can also be like in-memory authentication.
Provider registration can be done simply by adding Bean annotation under the config class that inherits WebSecurityConfigurerAdapter.
@Bean
public AuthenticationProvider authProvider() {
return new CustomAuthenticationProvider(passwordEncoder, authenticationService);
}
The user information to the DB is acquired in the retrieveUser method of the provider, and the password match is confirmed to determine whether authentication is possible.
That's easy, but it's a summary. Looking at the internal implementation, it is interesting because there are timing attack countermeasures against password hashes.
You can refer to this article for a summary of Spring Security as a whole. Spring Security usage memo basic / mechanism
Recommended Posts