Core Services

AuthenticationManager is the interface.

Default implementation in spring security is ProviderManager.

ProviderManager delegates the authentication requests to a list of configured AuthenticationProviders.

 

Chaining providers to AuthenticationManager.

    




      class="org.springframework.security.cas.authentication.CasAuthenticationProvider">

    

This declaration marks the bean as a authentication provider with the default Authentication Manager provided by spring security.

Spring Security

Ok .. I am working on spring security.

I am writing this article as I am reading the documentation. This will help me to remember the stuff and might be useful to others who are also trying to start working with it.

 

 

Core Components:

The most fundamental object is SecurityContextHolder. The security context for an application can be accessed from here. This includes the details of the principal currently using the application . Security context is always available to methods in the same thread of execution. So there is no need to pass it explicitly.

To access the details of the principal from the current security context, access the Authentication object.

 

Userdetails is an interface that represents the principal and acts as an adapter between the database and the securitycontextholder. UserDetails is part of the Authentication Object.

The authentication provider that ships with the spring security delegate to a UserDetailService as part of the authentication process.

UserDetailService is used to build the Authentication Object that is contained in the security context.

 

Authentication Process

Let's consider a standard authentication scenario that everyone is familiar with.

1. A user is prompted to log in with a username and password.
   
2. The system (successfully) verifies that the password is correct for the username.
   
3. The context information for that user is obtained (their list of roles and so on).
   
4. A security context is established for the user
   
5. The user proceeds, potentially to perform some operation which is potentially protected by an access control mechanism which checks the required permissions for the operation against the current security context information.
   

The first three items constitute the authentication process so we'll take a look at how these take place within Spring Security.

1. The username and password are obtained and combined into an instance of UsernamePasswordAuthenticationToken (an instance of the Authentication interface, which we saw earlier).
   
2. The token is passed to an instance of AuthenticationManager for validation.
   
3. The AuthenticationManager returns a fully populated Authentication instance on successful authentication.
   
4. The security context is established by calling SecurityContextHolder.getContext().setAuthentication(...), passing in the returned authentication object.
   

 

AuthenticationManager is an interface. Its default implementation in Spring Security is ProviderManager. This implementation delegates the authentication process to a list of AuthenticationProviders. Each provider will check for authentication and throw an exception or create an Authnetication Object.

The AuthenticationProviders ask the UserDetailService to provide the UserDetail object. This UserDetail object is used to for populating the Authentication object.

 

GrantedAuthority is another element provided by the Authentication object. This element grants authority to a principal. Such authorities are usually "roles", such as ROLE_ADMINISTRATOR or ROLE_HR_SUPERVISOR. These roles are later on configured for web authorization, method authorization and domain object authorization.