diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/architecture/core-filters.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/architecture/core-filters.adoc index abffcd042a..f7dd94d985 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/architecture/core-filters.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/architecture/core-filters.adoc @@ -3,14 +3,6 @@ There are some key filters which will always be used in a web application which uses Spring Security, so we'll look at these and their supporting classes and interfaces first. We won't cover every feature, so be sure to look at the Javadoc for them if you want to get the complete picture. -[[auth-entry-point]] -=== AuthenticationEntryPoint -The `AuthenticationEntryPoint` will be called if the user requests a secure HTTP resource but they are not authenticated. -An appropriate `AuthenticationException` or `AccessDeniedException` will be thrown by a security interceptor further down the call stack, triggering the `commence` method on the entry point. -This does the job of presenting the appropriate response to the user so that authentication can begin. -The one we've used here is `LoginUrlAuthenticationEntryPoint`, which redirects the request to a different URL (typically a login page). -The actual implementation used will depend on the authentication mechanism you want to be used in your application. - [[access-denied-handler]] === AccessDeniedHandler diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/authentication-entry-point.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/authentication-entry-point.adoc new file mode 100644 index 0000000000..ec848e1c50 --- /dev/null +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/authentication-entry-point.adoc @@ -0,0 +1,20 @@ +[[servlet-authentication-authenticationentrypoint]] += Request Credentials with `AuthenticationEntryPoint` + +{security-api-url}org/springframework/security/web/AuthenticationEntryPoint.html[`AuthenticationEntryPoint`] is used to send an HTTP response that requests credentials from a client. + +Sometimes a client will proactively include credentials such as a username/password to request a resource. +In these cases, Spring Security does not need to provide an HTTP response that requests credentials from the client since they are already included. + +In other cases, a client will make an unauthenticated request to a resource that they are not authorized to access. +In this case, an implementation of `AuthenticationEntryPoint` is used to request credentials from the client. +The `AuthenticationEntryPoint` implementation might perform a redirect to a log in page, respond with an https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate[WWW-Authenticate] header, etc. + +[[servlet-authentication-authenticationentrypoint-example]] +To better understand how `AuthenticationEntryPoint` is used, let's take a look at a concrete example. + +* First, a user makes an unauthenticated request to a resource that is not authorized. +Spring Security's <> indicate that the unauthenticated request is __Denied__. +* Since the request is __Denied__, <> handles the `AccessDeniedException` by first saving the request (so that it can be requested again after successful authentication) and then redirecting to the log in page with the configured `AuthenticationEntryPoint`. +* The browser will then request the log in page. +Something within the application, must <>.