I’m new to Spring Security and would like to learn the authentication process a little bit better
Here’s what I found on the Internet related to the topic if I’m wrong on the process please let me know:
- The authentication process begins in the
Filterthat might be part of aFilterChain. The filter might be of typeUsernamePasswordAuthenticationFilter. The HTTP request is intercepted and there’s an attempt to create anAuthentication Request(an object of a class that implements theAuthenticationinterface, i.e.UsernamePasswordAuthenticationToken). - The
Authenticationobject gets delegated to theAuthenticationManager. - Based on what has been passed to the
AuthenticationManagerit delegates it to the appropriateAuthenticationProvider(i.e.DaoAuthenticationProvider) where the REAL authentication takes place. - The
AuthenticationProvidersends the fully authenticatedAuthenticationobject to theAuthenticationManager. - In the
Filterwhere theAuthenticationManagerwas invoked,SecurityContextHolder.getContext().setAuthentication(authResult);gets called and the authentication process is finished.
My question is all about concrete implementations of the Filter class and the FilterChain related to authentication.
In our application most authentication filters extend AbstractAuthenticationProcessingFilter and the FilterChain is of class CompositeFilter. What are the de-facto “right” implementations of this interfaces? I apologise in advance for such a silly question but still need to learn this concept.
Advertisement
Answer
The SecurityFilterChain has one implementation, DefaultSecurityFilterChain.
There are too many implementations of Filter for one implementation to be considered most common. The available authentication filters in Spring Security that extend AbstractAuthenticationProcessingFilter are UsernamePasswordAuthenticationFilter, OAuth2LoginAuthenticationFilter, and Saml2WebSsoAuthenticationFilter.
The “right” filter to use depends largely on your use case.