Skip to content

Generic Authentication Filter in Spring Security used for Authentication

I’m new to Spring Security and would like to learn the authentication process a little bit better

Here’s what I found on the Internet related to the topic if I’m wrong on the process please let me know:

  1. The authentication process begins in the Filter that might be part of a FilterChain. The filter might be of type UsernamePasswordAuthenticationFilter. The HTTP request is intercepted and there’s an attempt to create an Authentication Request (an object of a class that implements the Authentication interface, i.e. UsernamePasswordAuthenticationToken).
  2. The Authentication object gets delegated to the AuthenticationManager.
  3. Based on what has been passed to the AuthenticationManager it delegates it to the appropriate AuthenticationProvider (i.e. DaoAuthenticationProvider) where the REAL authentication takes place.
  4. The AuthenticationProvider sends the fully authenticated Authentication object to the AuthenticationManager.
  5. In the Filter where the AuthenticationManager was invoked, SecurityContextHolder.getContext().setAuthentication(authResult); gets called and the authentication process is finished.

My question is all about concrete implementations of the Filter class and the FilterChain related to authentication.

In our application most authentication filters extend AbstractAuthenticationProcessingFilter and the FilterChain is of class CompositeFilter. What are the de-facto “right” implementations of this interfaces? I apologise in advance for such a silly question but still need to learn this concept.

Answer

The SecurityFilterChain has one implementation, DefaultSecurityFilterChain.

There are too many implementations of Filter for one implementation to be considered most common. The available authentication filters in Spring Security that extend AbstractAuthenticationProcessingFilter are UsernamePasswordAuthenticationFilter, OAuth2LoginAuthenticationFilter, and Saml2WebSsoAuthenticationFilter.

The “right” filter to use depends largely on your use case.