diff --git a/docs/modules/ROOT/nav.adoc b/docs/modules/ROOT/nav.adoc index e45379856d..e1f08f69e0 100644 --- a/docs/modules/ROOT/nav.adoc +++ b/docs/modules/ROOT/nav.adoc @@ -17,19 +17,19 @@ ** xref:servlet/architecture.adoc[The Big Picture] ** Authentication *** xref:servlet/authentication/architecture/index.adoc[Authentication Architecture] -*** xref:servlet/authentication/unpwd/index.adoc[Username/Password] +*** xref:servlet/authentication/passwords/index.adoc[Username/Password] **** Reading Username/Password -***** xref:servlet/authentication/unpwd/form.adoc[Form] -***** xref:servlet/authentication/unpwd/basic.adoc[Basic] -***** xref:servlet/authentication/unpwd/digest.adoc[Digest] +***** xref:servlet/authentication/passwords/form.adoc[Form] +***** xref:servlet/authentication/passwords/basic.adoc[Basic] +***** xref:servlet/authentication/passwords/digest.adoc[Digest] **** Password Storage -***** xref:servlet/authentication/unpwd/in-memory.adoc[In Memory] -***** xref:servlet/authentication/unpwd/jdbc.adoc[JDBC] -***** xref:servlet/authentication/unpwd/user-details.adoc[UserDetails] -***** xref:servlet/authentication/unpwd/user-details-service.adoc[UserDetailsService] -***** xref:servlet/authentication/unpwd/password-encoder.adoc[PasswordEncoder] -***** xref:servlet/authentication/unpwd/dao-authentication-provider.adoc[DaoAuthenticationProvider] -***** xref:servlet/authentication/unpwd/ldap.adoc[LDAP] +***** xref:servlet/authentication/passwords/in-memory.adoc[In Memory] +***** xref:servlet/authentication/passwords/jdbc.adoc[JDBC] +***** xref:servlet/authentication/passwords/user-details.adoc[UserDetails] +***** xref:servlet/authentication/passwords/user-details-service.adoc[UserDetailsService] +***** xref:servlet/authentication/passwords/password-encoder.adoc[PasswordEncoder] +***** xref:servlet/authentication/passwords/dao-authentication-provider.adoc[DaoAuthenticationProvider] +***** xref:servlet/authentication/passwords/ldap.adoc[LDAP] *** xref:servlet/authentication/session-management.adoc[Session Management] *** xref:servlet/authentication/rememberme.adoc[Remember Me] *** xref:servlet/authentication/openid.adoc[OpenID] diff --git a/docs/modules/ROOT/pages/servlet/appendix/namespace.adoc b/docs/modules/ROOT/pages/servlet/appendix/namespace.adoc index d6c2dae79f..f143661568 100644 --- a/docs/modules/ROOT/pages/servlet/appendix/namespace.adoc +++ b/docs/modules/ROOT/pages/servlet/appendix/namespace.adoc @@ -2736,7 +2736,7 @@ A method name [[nsa-ldap]] == LDAP Namespace Options -LDAP is covered in some details in xref:servlet/authentication/unpwd/ldap.adoc#servlet-authentication-ldap[its own chapter]. +LDAP is covered in some details in xref:servlet/authentication/passwords/ldap.adoc#servlet-authentication-ldap[its own chapter]. We will expand on that here with some explanation of how the namespace options map to Spring beans. The LDAP implementation uses Spring LDAP extensively, so some familiarity with that project's API may be useful. @@ -2746,7 +2746,7 @@ The LDAP implementation uses Spring LDAP extensively, so some familiarity with t `` Element This element sets up a Spring LDAP `ContextSource` for use by the other LDAP beans, defining the location of the LDAP server and other information (such as a username and password, if it doesn't allow anonymous access) for connecting to it. It can also be used to create an embedded server for testing. -Details of the syntax for both options are covered in the xref:servlet/authentication/unpwd/ldap.adoc#servlet-authentication-ldap[LDAP chapter]. +Details of the syntax for both options are covered in the xref:servlet/authentication/passwords/ldap.adoc#servlet-authentication-ldap[LDAP chapter]. The actual `ContextSource` implementation is `DefaultSpringSecurityContextSource` which extends Spring LDAP's `LdapContextSource` class. The `manager-dn` and `manager-password` attributes map to the latter's `userDn` and `password` properties respectively. diff --git a/docs/modules/ROOT/pages/servlet/architecture.adoc b/docs/modules/ROOT/pages/servlet/architecture.adoc index ff38d362a6..4ff33d61e0 100644 --- a/docs/modules/ROOT/pages/servlet/architecture.adoc +++ b/docs/modules/ROOT/pages/servlet/architecture.adoc @@ -179,14 +179,14 @@ Below is a comprehensive list of Spring Security Filter ordering: * CasAuthenticationFilter * OAuth2LoginAuthenticationFilter * Saml2WebSsoAuthenticationFilter -* xref:servlet/authentication/unpwd/form.adoc#servlet-authentication-usernamepasswordauthenticationfilter[`UsernamePasswordAuthenticationFilter`] +* xref:servlet/authentication/passwords/form.adoc#servlet-authentication-usernamepasswordauthenticationfilter[`UsernamePasswordAuthenticationFilter`] * OpenIDAuthenticationFilter * DefaultLoginPageGeneratingFilter * DefaultLogoutPageGeneratingFilter * ConcurrentSessionFilter -* xref:servlet/authentication/unpwd/digest.adoc#servlet-authentication-digest[`DigestAuthenticationFilter`] +* xref:servlet/authentication/passwords/digest.adoc#servlet-authentication-digest[`DigestAuthenticationFilter`] * BearerTokenAuthenticationFilter -* xref:servlet/authentication/unpwd/basic.adoc#servlet-authentication-basic[`BasicAuthenticationFilter`] +* xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[`BasicAuthenticationFilter`] * RequestCacheAwareFilter * SecurityContextHolderAwareRequestFilter * JaasApiIntegrationFilter diff --git a/docs/modules/ROOT/pages/servlet/architecture/index.adoc b/docs/modules/ROOT/pages/servlet/architecture/index.adoc index 0ddea5d236..8771a8f5be 100644 --- a/docs/modules/ROOT/pages/servlet/architecture/index.adoc +++ b/docs/modules/ROOT/pages/servlet/architecture/index.adoc @@ -179,14 +179,14 @@ Below is a comprehensive list of Spring Security Filter ordering: * CasAuthenticationFilter * OAuth2LoginAuthenticationFilter * Saml2WebSsoAuthenticationFilter -* xref:servlet/authentication/unpwd/form.adoc#servlet-authentication-usernamepasswordauthenticationfilter[`UsernamePasswordAuthenticationFilter`] +* xref:servlet/authentication/passwords/form.adoc#servlet-authentication-usernamepasswordauthenticationfilter[`UsernamePasswordAuthenticationFilter`] * OpenIDAuthenticationFilter * DefaultLoginPageGeneratingFilter * DefaultLogoutPageGeneratingFilter * ConcurrentSessionFilter -* xref:servlet/authentication/unpwd/digest.adoc#servlet-authentication-digest[`DigestAuthenticationFilter`] +* xref:servlet/authentication/passwords/digest.adoc#servlet-authentication-digest[`DigestAuthenticationFilter`] * BearerTokenAuthenticationFilter -* xref:servlet/authentication/unpwd/basic.adoc#servlet-authentication-basic[`BasicAuthenticationFilter`] +* xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[`BasicAuthenticationFilter`] * RequestCacheAwareFilter * SecurityContextHolderAwareRequestFilter * JaasApiIntegrationFilter diff --git a/docs/modules/ROOT/pages/servlet/authentication/architecture/index.adoc b/docs/modules/ROOT/pages/servlet/authentication/architecture/index.adoc index d37897800c..ea61488c57 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/architecture/index.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/architecture/index.adoc @@ -125,7 +125,7 @@ The current `Authentication` can be obtained from the <> are high level permissions the user is granted. @@ -141,7 +141,7 @@ A `GrantedAuthority` is, not surprisingly, an authority that is granted to the p Such authorities are usually "roles", such as `ROLE_ADMINISTRATOR` or `ROLE_HR_SUPERVISOR`. These roles are later on configured for web authorization, method authorization and domain object authorization. Other parts of Spring Security are capable of interpreting these authorities, and expect them to be present. -When using username/password based authentication ``GrantedAuthority``s are usually loaded by the xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[`UserDetailsService`]. +When using username/password based authentication ``GrantedAuthority``s are usually loaded by the xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[`UserDetailsService`]. Usually the `GrantedAuthority` objects are application-wide permissions. They are not specific to a given domain object. @@ -199,7 +199,7 @@ See the {security-api-url}org/springframework/security/authentication/ProviderMa Multiple {security-api-url}org/springframework/security/authentication/AuthenticationProvider.html[``AuthenticationProvider``s] can be injected into <>. Each `AuthenticationProvider` performs a specific type of authentication. -For example, xref:servlet/authentication/unpwd/dao-authentication-provider.adoc#servlet-authentication-daoauthenticationprovider[`DaoAuthenticationProvider`] supports username/password based authentication while `JwtAuthenticationProvider` supports authenticating a JWT token. +For example, xref:servlet/authentication/passwords/dao-authentication-provider.adoc#servlet-authentication-daoauthenticationprovider[`DaoAuthenticationProvider`] supports username/password based authentication while `JwtAuthenticationProvider` supports authenticating a JWT token. [[servlet-authentication-authenticationentrypoint]] == Request Credentials with `AuthenticationEntryPoint` @@ -211,7 +211,7 @@ In these cases, Spring Security does not need to provide an HTTP response that r In other cases, a client will make an unauthenticated request to a resource that they are not authorized to access. In this case, an implementation of `AuthenticationEntryPoint` is used to request credentials from the client. -The `AuthenticationEntryPoint` implementation might perform a xref:servlet/authentication/unpwd/form.adoc#servlet-authentication-form[redirect to a log in page], respond with an xref:servlet/authentication/unpwd/basic.adoc#servlet-authentication-basic[WWW-Authenticate] header, etc. +The `AuthenticationEntryPoint` implementation might perform a xref:servlet/authentication/passwords/form.adoc#servlet-authentication-form[redirect to a log in page], respond with an xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[WWW-Authenticate] header, etc. @@ -230,7 +230,7 @@ image::{figures}/abstractauthenticationprocessingfilter.png[] image:{icondir}/number_1.png[] When the user submits their credentials, the `AbstractAuthenticationProcessingFilter` creates an <> from the `HttpServletRequest` to be authenticated. The type of `Authentication` created depends on the subclass of `AbstractAuthenticationProcessingFilter`. -For example, xref:servlet/authentication/unpwd/form.adoc#servlet-authentication-usernamepasswordauthenticationfilter[`UsernamePasswordAuthenticationFilter`] creates a `UsernamePasswordAuthenticationToken` from a __username__ and __password__ that are submitted in the `HttpServletRequest`. +For example, xref:servlet/authentication/passwords/form.adoc#servlet-authentication-usernamepasswordauthenticationfilter[`UsernamePasswordAuthenticationFilter`] creates a `UsernamePasswordAuthenticationToken` from a __username__ and __password__ that are submitted in the `HttpServletRequest`. image:{icondir}/number_2.png[] Next, the <> is passed into the <> to be authenticated. diff --git a/docs/modules/ROOT/pages/servlet/authentication/index.adoc b/docs/modules/ROOT/pages/servlet/authentication/index.adoc index bcb81431d1..ceb08df6cb 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/index.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/index.adoc @@ -13,7 +13,7 @@ These sections focus on specific ways you may want to authenticate and point bac // FIXME: brief description -* xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd[Username and Password] - how to authenticate with a username/password +* xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd[Username and Password] - how to authenticate with a username/password * xref:servlet/oauth2/oauth2-login.adoc#oauth2login[OAuth 2.0 Login] - OAuth 2.0 Log In with OpenID Connect and non-standard OAuth 2.0 Login (i.e. GitHub) * xref:servlet/saml2/index.adoc#servlet-saml2[SAML 2.0 Login] - SAML 2.0 Log In * xref:servlet/authentication/cas.adoc#servlet-cas[Central Authentication Server (CAS)] - Central Authentication Server (CAS) Support diff --git a/docs/modules/ROOT/pages/servlet/authentication/unpwd/basic.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc similarity index 97% rename from docs/modules/ROOT/pages/servlet/authentication/unpwd/basic.adoc rename to docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc index 2040aec005..321f64459b 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/unpwd/basic.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc @@ -34,7 +34,7 @@ The figure builds off our xref:servlet/architecture.adoc#servlet-securityfilterc image:{icondir}/number_1.png[] When the user submits their username and password, the `BasicAuthenticationFilter` creates a `UsernamePasswordAuthenticationToken` which is a type of xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[`Authentication`] by extracting the username and password from the `HttpServletRequest`. image:{icondir}/number_2.png[] Next, the `UsernamePasswordAuthenticationToken` is passed into the `AuthenticationManager` to be authenticated. -The details of what `AuthenticationManager` looks like depend on how the xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-storage[user information is stored]. +The details of what `AuthenticationManager` looks like depend on how the xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-storage[user information is stored]. image:{icondir}/number_3.png[] If authentication fails, then __Failure__ diff --git a/docs/modules/ROOT/pages/servlet/authentication/unpwd/dao-authentication-provider.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/dao-authentication-provider.adoc similarity index 65% rename from docs/modules/ROOT/pages/servlet/authentication/unpwd/dao-authentication-provider.adoc rename to docs/modules/ROOT/pages/servlet/authentication/passwords/dao-authentication-provider.adoc index c25bf6c8e7..2f696514c6 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/unpwd/dao-authentication-provider.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/dao-authentication-provider.adoc @@ -2,21 +2,21 @@ = DaoAuthenticationProvider :figures: servlet/authentication/unpwd -{security-api-url}org/springframework/security/authentication/dao/DaoAuthenticationProvider.html[`DaoAuthenticationProvider`] is an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationprovider[`AuthenticationProvider`] implementation that leverages a xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[`UserDetailsService`] and xref:servlet/authentication/unpwd/password-encoder.adoc#servlet-authentication-password-storage[`PasswordEncoder`] to authenticate a username and password. +{security-api-url}org/springframework/security/authentication/dao/DaoAuthenticationProvider.html[`DaoAuthenticationProvider`] is an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationprovider[`AuthenticationProvider`] implementation that leverages a xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[`UserDetailsService`] and xref:servlet/authentication/passwords/password-encoder.adoc#servlet-authentication-password-storage[`PasswordEncoder`] to authenticate a username and password. Let's take a look at how `DaoAuthenticationProvider` works within Spring Security. -The figure explains details of how the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationmanager[`AuthenticationManager`] in figures from xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-input[Reading the Username & Password] works. +The figure explains details of how the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationmanager[`AuthenticationManager`] in figures from xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-input[Reading the Username & Password] works. .`DaoAuthenticationProvider` Usage image::{figures}/daoauthenticationprovider.png[] -image:{icondir}/number_1.png[] The authentication `Filter` from xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-input[Reading the Username & Password] passes a `UsernamePasswordAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture/index.adoc#servlet-authentication-providermanager[`ProviderManager`]. +image:{icondir}/number_1.png[] The authentication `Filter` from xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-input[Reading the Username & Password] passes a `UsernamePasswordAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture/index.adoc#servlet-authentication-providermanager[`ProviderManager`]. image:{icondir}/number_2.png[] The `ProviderManager` is configured to use an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationprovider[AuthenticationProvider] of type `DaoAuthenticationProvider`. image:{icondir}/number_3.png[] `DaoAuthenticationProvider` looks up the `UserDetails` from the `UserDetailsService`. -image:{icondir}/number_4.png[] `DaoAuthenticationProvider` then uses the xref:servlet/authentication/unpwd/password-encoder.adoc#servlet-authentication-password-storage[`PasswordEncoder`] to validate the password on the `UserDetails` returned in the previous step. +image:{icondir}/number_4.png[] `DaoAuthenticationProvider` then uses the xref:servlet/authentication/passwords/password-encoder.adoc#servlet-authentication-password-storage[`PasswordEncoder`] to validate the password on the `UserDetails` returned in the previous step. image:{icondir}/number_5.png[] When authentication is successful, the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[`Authentication`] that is returned is of type `UsernamePasswordAuthenticationToken` and has a principal that is the `UserDetails` returned by the configured `UserDetailsService`. Ultimately, the returned `UsernamePasswordAuthenticationToken` will be set on the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[`SecurityContextHolder`] by the authentication `Filter`. diff --git a/docs/modules/ROOT/pages/servlet/authentication/unpwd/digest.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/digest.adoc similarity index 95% rename from docs/modules/ROOT/pages/servlet/authentication/unpwd/digest.adoc rename to docs/modules/ROOT/pages/servlet/authentication/passwords/digest.adoc index 92494d71b3..913f175e36 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/unpwd/digest.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/digest.adoc @@ -11,7 +11,7 @@ All of these storage formats are considered insecure. Instead, you should store credentials using a one way adaptive password hash (i.e. bCrypt, PBKDF2, SCrypt, etc) which is not supported by Digest Authentication. ==== -Digest Authentication attempts to solve many of the weaknesses of xref:servlet/authentication/unpwd/basic.adoc#servlet-authentication-basic[Basic authentication], specifically by ensuring credentials are never sent in clear text across the wire. +Digest Authentication attempts to solve many of the weaknesses of xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[Basic authentication], specifically by ensuring credentials are never sent in clear text across the wire. Many https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Digest#Browser_compatibility[browsers support Digest Authentication]. The standard governing HTTP Digest Authentication is defined by https://tools.ietf.org/html/rfc2617[RFC 2617], which updates an earlier version of the Digest Authentication standard prescribed by https://tools.ietf.org/html/rfc2069[RFC 2069]. diff --git a/docs/modules/ROOT/pages/servlet/authentication/unpwd/form.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/form.adoc similarity index 98% rename from docs/modules/ROOT/pages/servlet/authentication/unpwd/form.adoc rename to docs/modules/ROOT/pages/servlet/authentication/passwords/form.adoc index 2bee66af93..62c8575688 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/unpwd/form.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/form.adoc @@ -38,7 +38,7 @@ The figure builds off our xref:servlet/architecture.adoc#servlet-securityfilterc image:{icondir}/number_1.png[] When the user submits their username and password, the `UsernamePasswordAuthenticationFilter` creates a `UsernamePasswordAuthenticationToken` which is a type of xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[`Authentication`] by extracting the username and password from the `HttpServletRequest`. image:{icondir}/number_2.png[] Next, the `UsernamePasswordAuthenticationToken` is passed into the `AuthenticationManager` to be authenticated. -The details of what `AuthenticationManager` looks like depend on how the xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-storage[user information is stored]. +The details of what `AuthenticationManager` looks like depend on how the xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-storage[user information is stored]. image:{icondir}/number_3.png[] If authentication fails, then __Failure__ diff --git a/docs/modules/ROOT/pages/servlet/authentication/unpwd/in-memory.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/in-memory.adoc similarity index 92% rename from docs/modules/ROOT/pages/servlet/authentication/unpwd/in-memory.adoc rename to docs/modules/ROOT/pages/servlet/authentication/passwords/in-memory.adoc index 3c74dd95fa..62fb993c0d 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/unpwd/in-memory.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/in-memory.adoc @@ -1,9 +1,9 @@ [[servlet-authentication-inmemory]] = In-Memory Authentication -Spring Security's `InMemoryUserDetailsManager` implements xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService] to provide support for username/password based authentication that is stored in memory. +Spring Security's `InMemoryUserDetailsManager` implements xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService] to provide support for username/password based authentication that is stored in memory. `InMemoryUserDetailsManager` provides management of `UserDetails` by implementing the `UserDetailsManager` interface. -`UserDetails` based authentication is used by Spring Security when it is configured to xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-input[accept a username/password] for authentication. +`UserDetails` based authentication is used by Spring Security when it is configured to xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-input[accept a username/password] for authentication. In this sample we use xref:features/authentication/password-storage.adoc#authentication-password-storage-boot-cli[Spring Boot CLI] to encode the password of `password` and get the encoded password of `+{bcrypt}$2a$10$GRLdNijSQMUvl/au9ofL.eDwmoohzzS7.rmNSJZ.0FxO/BTk76klW+`. diff --git a/docs/modules/ROOT/pages/servlet/authentication/passwords/index.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/index.adoc new file mode 100644 index 0000000000..49efe3d2da --- /dev/null +++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/index.adoc @@ -0,0 +1,27 @@ +[[servlet-authentication-unpwd]] += Username/Password Authentication +:figures: images/servlet/authentication/unpwd +:icondir: images/icons + +One of the most common ways to authenticate a user is by validating a username and password. +As such, Spring Security provides comprehensive support for authenticating with a username and password. + +[[servlet-authentication-unpwd-input]] +== Reading the Username & Password + +Spring Security provides the following built in mechanisms for reading a username and password from the `HttpServletRequest`: + +* xref:servlet/authentication/passwords/form.adoc#servlet-authentication-form[Form Login] +* xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[Basic Authentication] +* xref:servlet/authentication/passwords/digest.adoc#servlet-authentication-digest[Digest Authentication] + +[[servlet-authentication-unpwd-storage]] +== Storage Mechanisms + +Each of the supported mechanisms for reading a username and password can leverage any of the supported storage mechanisms: + +* Simple Storage with xref:servlet/authentication/passwords/in-memory.adoc#servlet-authentication-inmemory[In-Memory Authentication] +* Relational Databases with xref:servlet/authentication/passwords/jdbc.adoc#servlet-authentication-jdbc[JDBC Authentication] +* Custom data stores with xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService] +* LDAP storage with xref:servlet/authentication/passwords/ldap.adoc#servlet-authentication-ldap[LDAP Authentication] + diff --git a/docs/modules/ROOT/pages/servlet/authentication/unpwd/jdbc.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/jdbc.adoc similarity index 94% rename from docs/modules/ROOT/pages/servlet/authentication/unpwd/jdbc.adoc rename to docs/modules/ROOT/pages/servlet/authentication/passwords/jdbc.adoc index 3aa43ac7f2..d4462eaaf8 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/unpwd/jdbc.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/jdbc.adoc @@ -1,9 +1,9 @@ [[servlet-authentication-jdbc]] = JDBC Authentication -Spring Security's `JdbcDaoImpl` implements xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService] to provide support for username/password based authentication that is retrieved using JDBC. +Spring Security's `JdbcDaoImpl` implements xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService] to provide support for username/password based authentication that is retrieved using JDBC. `JdbcUserDetailsManager` extends `JdbcDaoImpl` to provide management of `UserDetails` through the `UserDetailsManager` interface. -`UserDetails` based authentication is used by Spring Security when it is configured to xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-input[accept a username/password] for authentication. +`UserDetails` based authentication is used by Spring Security when it is configured to xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-input[accept a username/password] for authentication. In the following sections we will discuss: @@ -171,7 +171,7 @@ UserDetailsManager users(DataSource dataSource) { JdbcUserDetailsManager users = new JdbcUserDetailsManager(dataSource); users.createUser(user); users.createUser(admin); - return users; + return users; } ---- diff --git a/docs/modules/ROOT/pages/servlet/authentication/unpwd/ldap.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/ldap.adoc similarity index 97% rename from docs/modules/ROOT/pages/servlet/authentication/unpwd/ldap.adoc rename to docs/modules/ROOT/pages/servlet/authentication/passwords/ldap.adoc index 5df913cf90..aa4ad900ff 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/unpwd/ldap.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/ldap.adoc @@ -4,7 +4,7 @@ LDAP is often used by organizations as a central repository for user information and as an authentication service. It can also be used to store the role information for application users. -Spring Security's LDAP based authentication is used by Spring Security when it is configured to xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-input[accept a username/password] for authentication. +Spring Security's LDAP based authentication is used by Spring Security when it is configured to xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-input[accept a username/password] for authentication. However, despite leveraging a username/password for authentication it does not integrate using `UserDetailsService` because in <> the LDAP server does not return the password so the application cannot perform validation of the password. There are many different scenarios for how an LDAP server may be configured so Spring Security's LDAP provider is fully configurable. @@ -258,7 +258,7 @@ fun contextSource(container: UnboundIdContainer): ContextSource { [[servlet-authentication-ldap-authentication]] == Authentication -Spring Security's LDAP support does not use the xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService] because LDAP bind authentication does not allow clients to read the password or even a hashed version of the password. +Spring Security's LDAP support does not use the xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService] because LDAP bind authentication does not allow clients to read the password or even a hashed version of the password. This means there is no way a password to be read and then authenticated by Spring Security. For this reason, LDAP support is implemented using the `LdapAuthenticator` interface. diff --git a/docs/modules/ROOT/pages/servlet/authentication/unpwd/password-encoder.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/password-encoder.adoc similarity index 100% rename from docs/modules/ROOT/pages/servlet/authentication/unpwd/password-encoder.adoc rename to docs/modules/ROOT/pages/servlet/authentication/passwords/password-encoder.adoc diff --git a/docs/modules/ROOT/pages/servlet/authentication/unpwd/user-details-service.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/user-details-service.adoc similarity index 67% rename from docs/modules/ROOT/pages/servlet/authentication/unpwd/user-details-service.adoc rename to docs/modules/ROOT/pages/servlet/authentication/passwords/user-details-service.adoc index 92a1d3519f..d557c04041 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/unpwd/user-details-service.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/user-details-service.adoc @@ -1,8 +1,8 @@ [[servlet-authentication-userdetailsservice]] = UserDetailsService -{security-api-url}org/springframework/security/core/userdetails/UserDetailsService.html[`UserDetailsService`] is used by xref:servlet/authentication/unpwd/dao-authentication-provider.adoc#servlet-authentication-daoauthenticationprovider[`DaoAuthenticationProvider`] for retrieving a username, password, and other attributes for authenticating with a username and password. -Spring Security provides xref:servlet/authentication/unpwd/in-memory.adoc#servlet-authentication-inmemory[in-memory] and xref:servlet/authentication/unpwd/jdbc.adoc#servlet-authentication-jdbc[JDBC] implementations of `UserDetailsService`. +{security-api-url}org/springframework/security/core/userdetails/UserDetailsService.html[`UserDetailsService`] is used by xref:servlet/authentication/passwords/dao-authentication-provider.adoc#servlet-authentication-daoauthenticationprovider[`DaoAuthenticationProvider`] for retrieving a username, password, and other attributes for authenticating with a username and password. +Spring Security provides xref:servlet/authentication/passwords/in-memory.adoc#servlet-authentication-inmemory[in-memory] and xref:servlet/authentication/passwords/jdbc.adoc#servlet-authentication-jdbc[JDBC] implementations of `UserDetailsService`. You can define custom authentication by exposing a custom `UserDetailsService` as a bean. For example, the following will customize authentication assuming that `CustomUserDetailsService` implements `UserDetailsService`: diff --git a/docs/modules/ROOT/pages/servlet/authentication/passwords/user-details.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/user-details.adoc new file mode 100644 index 0000000000..bbdcd1bf8d --- /dev/null +++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/user-details.adoc @@ -0,0 +1,5 @@ +[[servlet-authentication-userdetails]] += UserDetails + +{security-api-url}org/springframework/security/core/userdetails/UserDetails.html[`UserDetails`] is returned by the xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[`UserDetailsService`]. +The xref:servlet/authentication/passwords/dao-authentication-provider.adoc#servlet-authentication-daoauthenticationprovider[`DaoAuthenticationProvider`] validates the `UserDetails` and then returns an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[`Authentication`] that has a principal that is the `UserDetails` returned by the configured `UserDetailsService`. diff --git a/docs/modules/ROOT/pages/servlet/authentication/unpwd/index.adoc b/docs/modules/ROOT/pages/servlet/authentication/unpwd/index.adoc deleted file mode 100644 index 4dc2f6ca38..0000000000 --- a/docs/modules/ROOT/pages/servlet/authentication/unpwd/index.adoc +++ /dev/null @@ -1,27 +0,0 @@ -[[servlet-authentication-unpwd]] -= Username/Password Authentication -:figures: images/servlet/authentication/unpwd -:icondir: images/icons - -One of the most common ways to authenticate a user is by validating a username and password. -As such, Spring Security provides comprehensive support for authenticating with a username and password. - -[[servlet-authentication-unpwd-input]] -== Reading the Username & Password - -Spring Security provides the following built in mechanisms for reading a username and password from the `HttpServletRequest`: - -* xref:servlet/authentication/unpwd/form.adoc#servlet-authentication-form[Form Login] -* xref:servlet/authentication/unpwd/basic.adoc#servlet-authentication-basic[Basic Authentication] -* xref:servlet/authentication/unpwd/digest.adoc#servlet-authentication-digest[Digest Authentication] - -[[servlet-authentication-unpwd-storage]] -== Storage Mechanisms - -Each of the supported mechanisms for reading a username and password can leverage any of the supported storage mechanisms: - -* Simple Storage with xref:servlet/authentication/unpwd/in-memory.adoc#servlet-authentication-inmemory[In-Memory Authentication] -* Relational Databases with xref:servlet/authentication/unpwd/jdbc.adoc#servlet-authentication-jdbc[JDBC Authentication] -* Custom data stores with xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService] -* LDAP storage with xref:servlet/authentication/unpwd/ldap.adoc#servlet-authentication-ldap[LDAP Authentication] - diff --git a/docs/modules/ROOT/pages/servlet/authentication/unpwd/user-details.adoc b/docs/modules/ROOT/pages/servlet/authentication/unpwd/user-details.adoc deleted file mode 100644 index 1b55e00a0b..0000000000 --- a/docs/modules/ROOT/pages/servlet/authentication/unpwd/user-details.adoc +++ /dev/null @@ -1,5 +0,0 @@ -[[servlet-authentication-userdetails]] -= UserDetails - -{security-api-url}org/springframework/security/core/userdetails/UserDetails.html[`UserDetails`] is returned by the xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[`UserDetailsService`]. -The xref:servlet/authentication/unpwd/dao-authentication-provider.adoc#servlet-authentication-daoauthenticationprovider[`DaoAuthenticationProvider`] validates the `UserDetails` and then returns an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[`Authentication`] that has a principal that is the `UserDetails` returned by the configured `UserDetailsService`. diff --git a/docs/modules/ROOT/pages/servlet/namespace/index.adoc b/docs/modules/ROOT/pages/servlet/namespace/index.adoc index e11eebde48..0168114c1b 100644 --- a/docs/modules/ROOT/pages/servlet/namespace/index.adoc +++ b/docs/modules/ROOT/pages/servlet/namespace/index.adoc @@ -198,7 +198,7 @@ It's worth cross-checking this if you want to start understanding what the impor The configuration above defines two users, their passwords and their roles within the application (which will be used for access control). It is also possible to load user information from a standard properties file using the `properties` attribute on `user-service`. -See the section on xref:servlet/authentication/unpwd/in-memory.adoc#servlet-authentication-inmemory[in-memory authentication] for more details on the file format. +See the section on xref:servlet/authentication/passwords/in-memory.adoc#servlet-authentication-inmemory[in-memory authentication] for more details on the file format. Using the `` element means that the user information will be used by the authentication manager to process authentication requests. You can have multiple `` elements to define different authentication sources and each will be consulted in turn. diff --git a/docs/modules/ROOT/pages/servlet/oauth2/oauth2-resourceserver.adoc b/docs/modules/ROOT/pages/servlet/oauth2/oauth2-resourceserver.adoc index 31f481910d..0128f6de88 100644 --- a/docs/modules/ROOT/pages/servlet/oauth2/oauth2-resourceserver.adoc +++ b/docs/modules/ROOT/pages/servlet/oauth2/oauth2-resourceserver.adoc @@ -18,7 +18,7 @@ Working samples for both {gh-samples-url}/servlet/spring-boot/java/oauth2/resour ==== Let's take a look at how Bearer Token Authentication works within Spring Security. -First, we see that, like xref:servlet/authentication/unpwd/basic.adoc#servlet-authentication-basic[Basic Authentication], the https://tools.ietf.org/html/rfc7235#section-4.1[WWW-Authenticate] header is sent back to an unauthenticated client. +First, we see that, like xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[Basic Authentication], the https://tools.ietf.org/html/rfc7235#section-4.1[WWW-Authenticate] header is sent back to an unauthenticated client. .Sending WWW-Authenticate Header image::{figures}/bearerauthenticationentrypoint.png[] diff --git a/docs/modules/ROOT/pages/servlet/saml2/index.adoc b/docs/modules/ROOT/pages/servlet/saml2/index.adoc index 7b40f8d156..d302b1f70c 100644 --- a/docs/modules/ROOT/pages/servlet/saml2/index.adoc +++ b/docs/modules/ROOT/pages/servlet/saml2/index.adoc @@ -1267,7 +1267,7 @@ open class SecurityConfig : WebSecurityConfigurerAdapter() { ---- ==== <1> First, call the default converter, which extracts attributes and authorities from the response -<2> Second, call the xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[ `UserDetailsService`] using the relevant information +<2> Second, call the xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[ `UserDetailsService`] using the relevant information <3> Third, return a custom authentication that includes the user details [NOTE] diff --git a/docs/modules/ROOT/pages/servlet/xml-namespace.adoc b/docs/modules/ROOT/pages/servlet/xml-namespace.adoc index e11eebde48..0168114c1b 100644 --- a/docs/modules/ROOT/pages/servlet/xml-namespace.adoc +++ b/docs/modules/ROOT/pages/servlet/xml-namespace.adoc @@ -198,7 +198,7 @@ It's worth cross-checking this if you want to start understanding what the impor The configuration above defines two users, their passwords and their roles within the application (which will be used for access control). It is also possible to load user information from a standard properties file using the `properties` attribute on `user-service`. -See the section on xref:servlet/authentication/unpwd/in-memory.adoc#servlet-authentication-inmemory[in-memory authentication] for more details on the file format. +See the section on xref:servlet/authentication/passwords/in-memory.adoc#servlet-authentication-inmemory[in-memory authentication] for more details on the file format. Using the `` element means that the user information will be used by the authentication manager to process authentication requests. You can have multiple `` elements to define different authentication sources and each will be consulted in turn.