I'm new to Spring Security and would like to learn the authentication process a little bit better
Here's what I found on the Internet related to the topic if I'm wrong on the process please let me know:
- The authentication process begins in the
Filter
that might be part of aFilterChain
. The filter might be of typeUsernamePasswordAuthenticationFilter
. The HTTP request is intercepted and there's an attempt to create anAuthentication Request
(an object of a class that implements theAuthentication
interface, i.e.UsernamePasswordAuthenticationToken
). - The
Authentication
object gets delegated to theAuthenticationManager
. - Based on what has been passed to the
AuthenticationManager
it delegates it to the appropriateAuthenticationProvider
(i.e.DaoAuthenticationProvider
) where the REAL authentication takes place. - The
AuthenticationProvider
sends the fully authenticatedAuthentication
object to theAuthenticationManager
. - In the
Filter
where theAuthenticationManager
was invoked,SecurityContextHolder.getContext().setAuthentication(authResult);
gets called and the authentication process is finished.
My question is all about concrete implementations of the Filter
class and the FilterChain
related to authentication.
In our application most authentication filters extend AbstractAuthenticationProcessingFilter
and the FilterChain is of class CompositeFilter
. What are the de-facto "right" implementations of this interfaces? I apologise in advance for such a silly question but still need to learn this concept.
CodePudding user response:
The SecurityFilterChain
has one implementation, DefaultSecurityFilterChain
.
There are too many implementations of Filter
for one implementation to be considered most common. The available authentication filters in Spring Security that extend AbstractAuthenticationProcessingFilter
are UsernamePasswordAuthenticationFilter
, OAuth2LoginAuthenticationFilter
, and Saml2WebSsoAuthenticationFilter
.
The "right" filter to use depends largely on your use case.