parent
6b0891b081
commit
052e103aed
|
@ -3,14 +3,6 @@
|
||||||
There are some key filters which will always be used in a web application which uses Spring Security, so we'll look at these and their supporting classes and interfaces first.
|
There are some key filters which will always be used in a web application which uses Spring Security, so we'll look at these and their supporting classes and interfaces first.
|
||||||
We won't cover every feature, so be sure to look at the Javadoc for them if you want to get the complete picture.
|
We won't cover every feature, so be sure to look at the Javadoc for them if you want to get the complete picture.
|
||||||
|
|
||||||
[[auth-entry-point]]
|
|
||||||
=== AuthenticationEntryPoint
|
|
||||||
The `AuthenticationEntryPoint` will be called if the user requests a secure HTTP resource but they are not authenticated.
|
|
||||||
An appropriate `AuthenticationException` or `AccessDeniedException` will be thrown by a security interceptor further down the call stack, triggering the `commence` method on the entry point.
|
|
||||||
This does the job of presenting the appropriate response to the user so that authentication can begin.
|
|
||||||
The one we've used here is `LoginUrlAuthenticationEntryPoint`, which redirects the request to a different URL (typically a login page).
|
|
||||||
The actual implementation used will depend on the authentication mechanism you want to be used in your application.
|
|
||||||
|
|
||||||
|
|
||||||
[[access-denied-handler]]
|
[[access-denied-handler]]
|
||||||
=== AccessDeniedHandler
|
=== AccessDeniedHandler
|
||||||
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
[[servlet-authentication-authenticationentrypoint]]
|
||||||
|
= Request Credentials with `AuthenticationEntryPoint`
|
||||||
|
|
||||||
|
{security-api-url}org/springframework/security/web/AuthenticationEntryPoint.html[`AuthenticationEntryPoint`] is used to send an HTTP response that requests credentials from a client.
|
||||||
|
|
||||||
|
Sometimes a client will proactively include credentials such as a username/password to request a resource.
|
||||||
|
In these cases, Spring Security does not need to provide an HTTP response that requests credentials from the client since they are already included.
|
||||||
|
|
||||||
|
In other cases, a client will make an unauthenticated request to a resource that they are not authorized to access.
|
||||||
|
In this case, an implementation of `AuthenticationEntryPoint` is used to request credentials from the client.
|
||||||
|
The `AuthenticationEntryPoint` implementation might perform a redirect to a log in page, respond with an https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate[WWW-Authenticate] header, etc.
|
||||||
|
|
||||||
|
[[servlet-authentication-authenticationentrypoint-example]]
|
||||||
|
To better understand how `AuthenticationEntryPoint` is used, let's take a look at a concrete example.
|
||||||
|
|
||||||
|
* First, a user makes an unauthenticated request to a resource that is not authorized.
|
||||||
|
Spring Security's <<servlet-authorization-filtersecurityinterceptor,`FilterSecurityInterceptor`>> indicate that the unauthenticated request is __Denied__.
|
||||||
|
* Since the request is __Denied__, <<servlet-exceptiontranslationfilter,`ExceptionTranslationFilter`>> handles the `AccessDeniedException` by first saving the request (so that it can be requested again after successful authentication) and then redirecting to the log in page with the configured `AuthenticationEntryPoint`.
|
||||||
|
* The browser will then request the log in page.
|
||||||
|
Something within the application, must <<servlet-authentication-form-custom,render the log in page>>.
|
Loading…
Reference in New Issue