In this Post of How Authentication Works In Spring Security , we will cover Authentication Flow in Spring Security . This is going to be a long article as we will be discussing Spring Security Authentication Full Flow .
Spring Security provides comprehensive security services for J2EE-based enterprise software applications. People use Spring Security for many reasons, but most are drawn to the project after finding the security features of J2EE’s Servlet Specification or EJB Specification lack the depth required for typical enterprise application scenarios.
Spring Security Works on Three Core Principles or Steps :-
- Authentication
- Authorization
- Exception handling
We Will See How Spring Initiates and Starts the Whole Authentication Process , but lets discuss Spring Authentication Flow , then we Will deep dive in upcoming Posts.
How Authentication Works In Spring Security :-
So Spring Security basically is a chain of Servlet filters written for various purposes. Each of those filters are meant to do some specific task .
So there are different authentication mechanisms provided in Spring such as Http Basic , Form based login , Ouath1 etc . All these mechanisms are handled by Specific Filters Which extends AbstractAuthenticationProcessingFilter . So all requests are handle by this Filter and in the Whole Post we will name it as Authentication Filter. Have a look at different Filters and its Use cases .
How HTTPBasic Authentication Works In Spring Security :-
Once a Servlet request for HttpBasic Authentication reaches Spring Security , Authentication Filter Picks it up and tries to decode Http Basic Headers . It then checks if Authentication is required or not . If authentication is required It Creates an instance of UserNamepasswordAuthenticationToken with username and token and sets isAuthenticated(false)
. This token is then passed to AuthenticationManager as shown in diagram below .
How AuthenticationManager authenticates that token we will see in a while .Now the Authenticated value in this step is Still False till UserNamePassWordAuthenticationToken is passed to AuthenticationManager . So Once AuthenticationManager Processes the Request with that Token Object , the status of Authentication value is Changed to true in case of Successful authentication as shown below else AuthenticationException is thrown.