About Spring Security authentication

Overview

It is a memorandum because I investigated around the authentication of Spring Security.

Schematic

Screen Shot 2019-08-14 at 19.52.18.png

SecurityFilterChain is applied to the request. By default, UsernamePasswordAuthenticationFilter is responsible for authentication (applies to specified paths, eg / login). AuthenticationManager is called from Filter and decides whether or not to authenticate. AuthenticationManager has multiple AuthenticationProviders and delegates authentication approval / disapproval processing to each Provider.

AuthenticationFilter It is applied to the URL that performs the authentication process. Performs null check of user input, issues UsernamePasswordAuthenticationToken based on the input information, and delegates authentication permission to Manager.

UsernamePasswordAuthenticationToken It is a data object that has an input value that inherits AbstractAuthenticationToken and a field parameter used for authentication judgment. Each Provider receives this object and determines whether it can be authenticated from the field parameters.

AuthenticationManager The interface org.springframework.security.authentication.AuthenticationManager. Only one method is defined for this interface.

AuthenticationManager.java


Authentication authenticate(Authentication authentication)
			throws AuthenticationException;

The default implementation class is org.springframework.security.authentication.ProviderManager.

ProviderManager has an array of AuthenticationProviders that actually perform judgments such as password matching, and calls the authenticate method of each Provider to perform authentication judgments.

AuthenticationProvider This class actually makes an authentication judgment (eg password match, etc.). As mentioned above, multiple Providers can be registered.

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
	    auth.authenticationProvider(authProvider());
        auth.authenticationProvider(authProvider2());
    }

    public AuthenticationProvider authProvider() {
	    return new AbstractUserDetailsAuthenticationProvider() {

	        @Override
	        protected void additionalAuthenticationChecks(UserDetails userDetails,
		        UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
		      // 
	        }

	        @Override
	        protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)
		        throws AuthenticationException {
		        //The process of creating a specific user you want to use to log in
		        return user;
	        }
	    };
    }

It may not be used very often, but if you make the Provider return a user who inherits UserDetails, It can also be like in-memory authentication.

Provider registration can be done simply by adding Bean annotation under the config class that inherits WebSecurityConfigurerAdapter.

    @Bean
    public AuthenticationProvider authProvider() {
	    return new CustomAuthenticationProvider(passwordEncoder, authenticationService);
    }

The user information to the DB is acquired in the retrieveUser method of the provider, and the password match is confirmed to determine whether authentication is possible.

That's easy, but it's a summary. Looking at the internal implementation, it is interesting because there are timing attack countermeasures against password hashes.

You can refer to this article for a summary of Spring Security as a whole. Spring Security usage memo basic / mechanism

Recommended Posts

About Spring Security authentication
About Spring ③
Spring Security usage memo Authentication / authorization
Implemented authentication function with Spring Security ②
Implemented authentication function with Spring Security ③
Spring Boot Tutorial Using Spring Security Authentication
Implemented authentication function with Spring Security ①
Learn Spring Security authentication processing architecture
Authentication / authorization with Spring Security & Thymeleaf
About Spring AOP
About spring AOP
DB authentication with Spring Security & hashing with BCrypt
Achieve BASIC authentication with Spring Boot + Spring Security
About DI of Spring ①
Try LDAP authentication with Spring Security (Spring Boot) + OpenLDAP
About Spring AOP Pointcut
About DI of Spring ②
Spring Security causes 403 forbidden
Add your own authentication items with Spring Security
[Introduction to Spring Boot] Authentication function with Spring Security
Create API key authentication for Web API in Spring Security
[Personal memo] About Spring framework
Spring Security usage memo CSRF
About Spring Framework context error
Spring Security usage memo Run-As
About errors during SNS authentication
Spring Security Usage memo Method security
Spring Security usage memo Remember-Me
Login function with Spring Security
[Spring Security] Spring Security on GAE (SE)
Try using Spring Boot Security
Spring Security usage memo CORS
Spring Security usage memo test
About Spring DI related annotations
Use Basic Authentication with Spring Boot
I get a 404 error when testing forms authentication with Spring Security
Spring Security usage memo response header
About signature authentication with java 1st
About binding of Spring AOP Annotation
Oauth2 authentication with Spring Cloud Gateway
Spring Security usage memo session management
About =
Spring Security usage memo Basic / mechanism
About error when implementing spring validation
My own Authentication Provider is called twice by spring security and authentication fails
Introducing Basic Authentication on Heroku [Spring Framework]
Spring Security Usage Memo Domain Object Security (ACL)
About Spring Dependency Injection using Java, Kotlin
Try Spring Security AES256 string encryption / decryption
Spring Boot @WebMvcTest test enables Spring Security default security
About the initial display of Spring Framework
Use Spring Security JSP tags with FreeMarker
How Spring Security works with Hello World
Login function implementation by Spring Security (securityConfig)
Implementation sample when Form authentication and Request-Header authentication are used together in Spring Security