unpwd->passwords folder
This commit is contained in:
parent
e4ce7249cc
commit
583761f916
|
@ -17,19 +17,19 @@
|
||||||
** xref:servlet/architecture.adoc[The Big Picture]
|
** xref:servlet/architecture.adoc[The Big Picture]
|
||||||
** Authentication
|
** Authentication
|
||||||
*** xref:servlet/authentication/architecture/index.adoc[Authentication Architecture]
|
*** xref:servlet/authentication/architecture/index.adoc[Authentication Architecture]
|
||||||
*** xref:servlet/authentication/unpwd/index.adoc[Username/Password]
|
*** xref:servlet/authentication/passwords/index.adoc[Username/Password]
|
||||||
**** Reading Username/Password
|
**** Reading Username/Password
|
||||||
***** xref:servlet/authentication/unpwd/form.adoc[Form]
|
***** xref:servlet/authentication/passwords/form.adoc[Form]
|
||||||
***** xref:servlet/authentication/unpwd/basic.adoc[Basic]
|
***** xref:servlet/authentication/passwords/basic.adoc[Basic]
|
||||||
***** xref:servlet/authentication/unpwd/digest.adoc[Digest]
|
***** xref:servlet/authentication/passwords/digest.adoc[Digest]
|
||||||
**** Password Storage
|
**** Password Storage
|
||||||
***** xref:servlet/authentication/unpwd/in-memory.adoc[In Memory]
|
***** xref:servlet/authentication/passwords/in-memory.adoc[In Memory]
|
||||||
***** xref:servlet/authentication/unpwd/jdbc.adoc[JDBC]
|
***** xref:servlet/authentication/passwords/jdbc.adoc[JDBC]
|
||||||
***** xref:servlet/authentication/unpwd/user-details.adoc[UserDetails]
|
***** xref:servlet/authentication/passwords/user-details.adoc[UserDetails]
|
||||||
***** xref:servlet/authentication/unpwd/user-details-service.adoc[UserDetailsService]
|
***** xref:servlet/authentication/passwords/user-details-service.adoc[UserDetailsService]
|
||||||
***** xref:servlet/authentication/unpwd/password-encoder.adoc[PasswordEncoder]
|
***** xref:servlet/authentication/passwords/password-encoder.adoc[PasswordEncoder]
|
||||||
***** xref:servlet/authentication/unpwd/dao-authentication-provider.adoc[DaoAuthenticationProvider]
|
***** xref:servlet/authentication/passwords/dao-authentication-provider.adoc[DaoAuthenticationProvider]
|
||||||
***** xref:servlet/authentication/unpwd/ldap.adoc[LDAP]
|
***** xref:servlet/authentication/passwords/ldap.adoc[LDAP]
|
||||||
*** xref:servlet/authentication/session-management.adoc[Session Management]
|
*** xref:servlet/authentication/session-management.adoc[Session Management]
|
||||||
*** xref:servlet/authentication/rememberme.adoc[Remember Me]
|
*** xref:servlet/authentication/rememberme.adoc[Remember Me]
|
||||||
*** xref:servlet/authentication/openid.adoc[OpenID]
|
*** xref:servlet/authentication/openid.adoc[OpenID]
|
||||||
|
|
|
@ -2736,7 +2736,7 @@ A method name
|
||||||
|
|
||||||
[[nsa-ldap]]
|
[[nsa-ldap]]
|
||||||
== LDAP Namespace Options
|
== LDAP Namespace Options
|
||||||
LDAP is covered in some details in xref:servlet/authentication/unpwd/ldap.adoc#servlet-authentication-ldap[its own chapter].
|
LDAP is covered in some details in xref:servlet/authentication/passwords/ldap.adoc#servlet-authentication-ldap[its own chapter].
|
||||||
We will expand on that here with some explanation of how the namespace options map to Spring beans.
|
We will expand on that here with some explanation of how the namespace options map to Spring beans.
|
||||||
The LDAP implementation uses Spring LDAP extensively, so some familiarity with that project's API may be useful.
|
The LDAP implementation uses Spring LDAP extensively, so some familiarity with that project's API may be useful.
|
||||||
|
|
||||||
|
@ -2746,7 +2746,7 @@ The LDAP implementation uses Spring LDAP extensively, so some familiarity with t
|
||||||
`<ldap-server>` Element
|
`<ldap-server>` Element
|
||||||
This element sets up a Spring LDAP `ContextSource` for use by the other LDAP beans, defining the location of the LDAP server and other information (such as a username and password, if it doesn't allow anonymous access) for connecting to it.
|
This element sets up a Spring LDAP `ContextSource` for use by the other LDAP beans, defining the location of the LDAP server and other information (such as a username and password, if it doesn't allow anonymous access) for connecting to it.
|
||||||
It can also be used to create an embedded server for testing.
|
It can also be used to create an embedded server for testing.
|
||||||
Details of the syntax for both options are covered in the xref:servlet/authentication/unpwd/ldap.adoc#servlet-authentication-ldap[LDAP chapter].
|
Details of the syntax for both options are covered in the xref:servlet/authentication/passwords/ldap.adoc#servlet-authentication-ldap[LDAP chapter].
|
||||||
The actual `ContextSource` implementation is `DefaultSpringSecurityContextSource` which extends Spring LDAP's `LdapContextSource` class.
|
The actual `ContextSource` implementation is `DefaultSpringSecurityContextSource` which extends Spring LDAP's `LdapContextSource` class.
|
||||||
The `manager-dn` and `manager-password` attributes map to the latter's `userDn` and `password` properties respectively.
|
The `manager-dn` and `manager-password` attributes map to the latter's `userDn` and `password` properties respectively.
|
||||||
|
|
||||||
|
|
|
@ -179,14 +179,14 @@ Below is a comprehensive list of Spring Security Filter ordering:
|
||||||
* CasAuthenticationFilter
|
* CasAuthenticationFilter
|
||||||
* OAuth2LoginAuthenticationFilter
|
* OAuth2LoginAuthenticationFilter
|
||||||
* Saml2WebSsoAuthenticationFilter
|
* Saml2WebSsoAuthenticationFilter
|
||||||
* xref:servlet/authentication/unpwd/form.adoc#servlet-authentication-usernamepasswordauthenticationfilter[`UsernamePasswordAuthenticationFilter`]
|
* xref:servlet/authentication/passwords/form.adoc#servlet-authentication-usernamepasswordauthenticationfilter[`UsernamePasswordAuthenticationFilter`]
|
||||||
* OpenIDAuthenticationFilter
|
* OpenIDAuthenticationFilter
|
||||||
* DefaultLoginPageGeneratingFilter
|
* DefaultLoginPageGeneratingFilter
|
||||||
* DefaultLogoutPageGeneratingFilter
|
* DefaultLogoutPageGeneratingFilter
|
||||||
* ConcurrentSessionFilter
|
* ConcurrentSessionFilter
|
||||||
* xref:servlet/authentication/unpwd/digest.adoc#servlet-authentication-digest[`DigestAuthenticationFilter`]
|
* xref:servlet/authentication/passwords/digest.adoc#servlet-authentication-digest[`DigestAuthenticationFilter`]
|
||||||
* BearerTokenAuthenticationFilter
|
* BearerTokenAuthenticationFilter
|
||||||
* xref:servlet/authentication/unpwd/basic.adoc#servlet-authentication-basic[`BasicAuthenticationFilter`]
|
* xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[`BasicAuthenticationFilter`]
|
||||||
* RequestCacheAwareFilter
|
* RequestCacheAwareFilter
|
||||||
* SecurityContextHolderAwareRequestFilter
|
* SecurityContextHolderAwareRequestFilter
|
||||||
* JaasApiIntegrationFilter
|
* JaasApiIntegrationFilter
|
||||||
|
|
|
@ -179,14 +179,14 @@ Below is a comprehensive list of Spring Security Filter ordering:
|
||||||
* CasAuthenticationFilter
|
* CasAuthenticationFilter
|
||||||
* OAuth2LoginAuthenticationFilter
|
* OAuth2LoginAuthenticationFilter
|
||||||
* Saml2WebSsoAuthenticationFilter
|
* Saml2WebSsoAuthenticationFilter
|
||||||
* xref:servlet/authentication/unpwd/form.adoc#servlet-authentication-usernamepasswordauthenticationfilter[`UsernamePasswordAuthenticationFilter`]
|
* xref:servlet/authentication/passwords/form.adoc#servlet-authentication-usernamepasswordauthenticationfilter[`UsernamePasswordAuthenticationFilter`]
|
||||||
* OpenIDAuthenticationFilter
|
* OpenIDAuthenticationFilter
|
||||||
* DefaultLoginPageGeneratingFilter
|
* DefaultLoginPageGeneratingFilter
|
||||||
* DefaultLogoutPageGeneratingFilter
|
* DefaultLogoutPageGeneratingFilter
|
||||||
* ConcurrentSessionFilter
|
* ConcurrentSessionFilter
|
||||||
* xref:servlet/authentication/unpwd/digest.adoc#servlet-authentication-digest[`DigestAuthenticationFilter`]
|
* xref:servlet/authentication/passwords/digest.adoc#servlet-authentication-digest[`DigestAuthenticationFilter`]
|
||||||
* BearerTokenAuthenticationFilter
|
* BearerTokenAuthenticationFilter
|
||||||
* xref:servlet/authentication/unpwd/basic.adoc#servlet-authentication-basic[`BasicAuthenticationFilter`]
|
* xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[`BasicAuthenticationFilter`]
|
||||||
* RequestCacheAwareFilter
|
* RequestCacheAwareFilter
|
||||||
* SecurityContextHolderAwareRequestFilter
|
* SecurityContextHolderAwareRequestFilter
|
||||||
* JaasApiIntegrationFilter
|
* JaasApiIntegrationFilter
|
||||||
|
|
|
@ -125,7 +125,7 @@ The current `Authentication` can be obtained from the <<servlet-authentication-s
|
||||||
The `Authentication` contains:
|
The `Authentication` contains:
|
||||||
|
|
||||||
* `principal` - identifies the user.
|
* `principal` - identifies the user.
|
||||||
When authenticating with a username/password this is often an instance of xref:servlet/authentication/unpwd/user-details.adoc#servlet-authentication-userdetails[`UserDetails`].
|
When authenticating with a username/password this is often an instance of xref:servlet/authentication/passwords/user-details.adoc#servlet-authentication-userdetails[`UserDetails`].
|
||||||
* `credentials` - often a password.
|
* `credentials` - often a password.
|
||||||
In many cases this will be cleared after the user is authenticated to ensure it is not leaked.
|
In many cases this will be cleared after the user is authenticated to ensure it is not leaked.
|
||||||
* `authorities` - the <<servlet-authentication-granted-authority,``GrantedAuthority``s>> are high level permissions the user is granted.
|
* `authorities` - the <<servlet-authentication-granted-authority,``GrantedAuthority``s>> are high level permissions the user is granted.
|
||||||
|
@ -141,7 +141,7 @@ A `GrantedAuthority` is, not surprisingly, an authority that is granted to the p
|
||||||
Such authorities are usually "roles", such as `ROLE_ADMINISTRATOR` or `ROLE_HR_SUPERVISOR`.
|
Such authorities are usually "roles", such as `ROLE_ADMINISTRATOR` or `ROLE_HR_SUPERVISOR`.
|
||||||
These roles are later on configured for web authorization, method authorization and domain object authorization.
|
These roles are later on configured for web authorization, method authorization and domain object authorization.
|
||||||
Other parts of Spring Security are capable of interpreting these authorities, and expect them to be present.
|
Other parts of Spring Security are capable of interpreting these authorities, and expect them to be present.
|
||||||
When using username/password based authentication ``GrantedAuthority``s are usually loaded by the xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[`UserDetailsService`].
|
When using username/password based authentication ``GrantedAuthority``s are usually loaded by the xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[`UserDetailsService`].
|
||||||
|
|
||||||
Usually the `GrantedAuthority` objects are application-wide permissions.
|
Usually the `GrantedAuthority` objects are application-wide permissions.
|
||||||
They are not specific to a given domain object.
|
They are not specific to a given domain object.
|
||||||
|
@ -199,7 +199,7 @@ See the {security-api-url}org/springframework/security/authentication/ProviderMa
|
||||||
|
|
||||||
Multiple {security-api-url}org/springframework/security/authentication/AuthenticationProvider.html[``AuthenticationProvider``s] can be injected into <<servlet-authentication-providermanager,`ProviderManager`>>.
|
Multiple {security-api-url}org/springframework/security/authentication/AuthenticationProvider.html[``AuthenticationProvider``s] can be injected into <<servlet-authentication-providermanager,`ProviderManager`>>.
|
||||||
Each `AuthenticationProvider` performs a specific type of authentication.
|
Each `AuthenticationProvider` performs a specific type of authentication.
|
||||||
For example, xref:servlet/authentication/unpwd/dao-authentication-provider.adoc#servlet-authentication-daoauthenticationprovider[`DaoAuthenticationProvider`] supports username/password based authentication while `JwtAuthenticationProvider` supports authenticating a JWT token.
|
For example, xref:servlet/authentication/passwords/dao-authentication-provider.adoc#servlet-authentication-daoauthenticationprovider[`DaoAuthenticationProvider`] supports username/password based authentication while `JwtAuthenticationProvider` supports authenticating a JWT token.
|
||||||
|
|
||||||
[[servlet-authentication-authenticationentrypoint]]
|
[[servlet-authentication-authenticationentrypoint]]
|
||||||
== Request Credentials with `AuthenticationEntryPoint`
|
== Request Credentials with `AuthenticationEntryPoint`
|
||||||
|
@ -211,7 +211,7 @@ In these cases, Spring Security does not need to provide an HTTP response that r
|
||||||
|
|
||||||
In other cases, a client will make an unauthenticated request to a resource that they are not authorized to access.
|
In other cases, a client will make an unauthenticated request to a resource that they are not authorized to access.
|
||||||
In this case, an implementation of `AuthenticationEntryPoint` is used to request credentials from the client.
|
In this case, an implementation of `AuthenticationEntryPoint` is used to request credentials from the client.
|
||||||
The `AuthenticationEntryPoint` implementation might perform a xref:servlet/authentication/unpwd/form.adoc#servlet-authentication-form[redirect to a log in page], respond with an xref:servlet/authentication/unpwd/basic.adoc#servlet-authentication-basic[WWW-Authenticate] header, etc.
|
The `AuthenticationEntryPoint` implementation might perform a xref:servlet/authentication/passwords/form.adoc#servlet-authentication-form[redirect to a log in page], respond with an xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[WWW-Authenticate] header, etc.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -230,7 +230,7 @@ image::{figures}/abstractauthenticationprocessingfilter.png[]
|
||||||
|
|
||||||
image:{icondir}/number_1.png[] When the user submits their credentials, the `AbstractAuthenticationProcessingFilter` creates an <<servlet-authentication-authentication,`Authentication`>> from the `HttpServletRequest` to be authenticated.
|
image:{icondir}/number_1.png[] When the user submits their credentials, the `AbstractAuthenticationProcessingFilter` creates an <<servlet-authentication-authentication,`Authentication`>> from the `HttpServletRequest` to be authenticated.
|
||||||
The type of `Authentication` created depends on the subclass of `AbstractAuthenticationProcessingFilter`.
|
The type of `Authentication` created depends on the subclass of `AbstractAuthenticationProcessingFilter`.
|
||||||
For example, xref:servlet/authentication/unpwd/form.adoc#servlet-authentication-usernamepasswordauthenticationfilter[`UsernamePasswordAuthenticationFilter`] creates a `UsernamePasswordAuthenticationToken` from a __username__ and __password__ that are submitted in the `HttpServletRequest`.
|
For example, xref:servlet/authentication/passwords/form.adoc#servlet-authentication-usernamepasswordauthenticationfilter[`UsernamePasswordAuthenticationFilter`] creates a `UsernamePasswordAuthenticationToken` from a __username__ and __password__ that are submitted in the `HttpServletRequest`.
|
||||||
|
|
||||||
image:{icondir}/number_2.png[] Next, the <<servlet-authentication-authentication,`Authentication`>> is passed into the <<servlet-authentication-authenticationmanager,`AuthenticationManager`>> to be authenticated.
|
image:{icondir}/number_2.png[] Next, the <<servlet-authentication-authentication,`Authentication`>> is passed into the <<servlet-authentication-authenticationmanager,`AuthenticationManager`>> to be authenticated.
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,7 @@ These sections focus on specific ways you may want to authenticate and point bac
|
||||||
|
|
||||||
// FIXME: brief description
|
// FIXME: brief description
|
||||||
|
|
||||||
* xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd[Username and Password] - how to authenticate with a username/password
|
* xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd[Username and Password] - how to authenticate with a username/password
|
||||||
* xref:servlet/oauth2/oauth2-login.adoc#oauth2login[OAuth 2.0 Login] - OAuth 2.0 Log In with OpenID Connect and non-standard OAuth 2.0 Login (i.e. GitHub)
|
* xref:servlet/oauth2/oauth2-login.adoc#oauth2login[OAuth 2.0 Login] - OAuth 2.0 Log In with OpenID Connect and non-standard OAuth 2.0 Login (i.e. GitHub)
|
||||||
* xref:servlet/saml2/index.adoc#servlet-saml2[SAML 2.0 Login] - SAML 2.0 Log In
|
* xref:servlet/saml2/index.adoc#servlet-saml2[SAML 2.0 Login] - SAML 2.0 Log In
|
||||||
* xref:servlet/authentication/cas.adoc#servlet-cas[Central Authentication Server (CAS)] - Central Authentication Server (CAS) Support
|
* xref:servlet/authentication/cas.adoc#servlet-cas[Central Authentication Server (CAS)] - Central Authentication Server (CAS) Support
|
||||||
|
|
|
@ -34,7 +34,7 @@ The figure builds off our xref:servlet/architecture.adoc#servlet-securityfilterc
|
||||||
image:{icondir}/number_1.png[] When the user submits their username and password, the `BasicAuthenticationFilter` creates a `UsernamePasswordAuthenticationToken` which is a type of xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[`Authentication`] by extracting the username and password from the `HttpServletRequest`.
|
image:{icondir}/number_1.png[] When the user submits their username and password, the `BasicAuthenticationFilter` creates a `UsernamePasswordAuthenticationToken` which is a type of xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[`Authentication`] by extracting the username and password from the `HttpServletRequest`.
|
||||||
|
|
||||||
image:{icondir}/number_2.png[] Next, the `UsernamePasswordAuthenticationToken` is passed into the `AuthenticationManager` to be authenticated.
|
image:{icondir}/number_2.png[] Next, the `UsernamePasswordAuthenticationToken` is passed into the `AuthenticationManager` to be authenticated.
|
||||||
The details of what `AuthenticationManager` looks like depend on how the xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-storage[user information is stored].
|
The details of what `AuthenticationManager` looks like depend on how the xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-storage[user information is stored].
|
||||||
|
|
||||||
image:{icondir}/number_3.png[] If authentication fails, then __Failure__
|
image:{icondir}/number_3.png[] If authentication fails, then __Failure__
|
||||||
|
|
|
@ -2,21 +2,21 @@
|
||||||
= DaoAuthenticationProvider
|
= DaoAuthenticationProvider
|
||||||
:figures: servlet/authentication/unpwd
|
:figures: servlet/authentication/unpwd
|
||||||
|
|
||||||
{security-api-url}org/springframework/security/authentication/dao/DaoAuthenticationProvider.html[`DaoAuthenticationProvider`] is an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationprovider[`AuthenticationProvider`] implementation that leverages a xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[`UserDetailsService`] and xref:servlet/authentication/unpwd/password-encoder.adoc#servlet-authentication-password-storage[`PasswordEncoder`] to authenticate a username and password.
|
{security-api-url}org/springframework/security/authentication/dao/DaoAuthenticationProvider.html[`DaoAuthenticationProvider`] is an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationprovider[`AuthenticationProvider`] implementation that leverages a xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[`UserDetailsService`] and xref:servlet/authentication/passwords/password-encoder.adoc#servlet-authentication-password-storage[`PasswordEncoder`] to authenticate a username and password.
|
||||||
|
|
||||||
Let's take a look at how `DaoAuthenticationProvider` works within Spring Security.
|
Let's take a look at how `DaoAuthenticationProvider` works within Spring Security.
|
||||||
The figure explains details of how the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationmanager[`AuthenticationManager`] in figures from xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-input[Reading the Username & Password] works.
|
The figure explains details of how the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationmanager[`AuthenticationManager`] in figures from xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-input[Reading the Username & Password] works.
|
||||||
|
|
||||||
.`DaoAuthenticationProvider` Usage
|
.`DaoAuthenticationProvider` Usage
|
||||||
image::{figures}/daoauthenticationprovider.png[]
|
image::{figures}/daoauthenticationprovider.png[]
|
||||||
|
|
||||||
image:{icondir}/number_1.png[] The authentication `Filter` from xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-input[Reading the Username & Password] passes a `UsernamePasswordAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture/index.adoc#servlet-authentication-providermanager[`ProviderManager`].
|
image:{icondir}/number_1.png[] The authentication `Filter` from xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-input[Reading the Username & Password] passes a `UsernamePasswordAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture/index.adoc#servlet-authentication-providermanager[`ProviderManager`].
|
||||||
|
|
||||||
image:{icondir}/number_2.png[] The `ProviderManager` is configured to use an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationprovider[AuthenticationProvider] of type `DaoAuthenticationProvider`.
|
image:{icondir}/number_2.png[] The `ProviderManager` is configured to use an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationprovider[AuthenticationProvider] of type `DaoAuthenticationProvider`.
|
||||||
|
|
||||||
image:{icondir}/number_3.png[] `DaoAuthenticationProvider` looks up the `UserDetails` from the `UserDetailsService`.
|
image:{icondir}/number_3.png[] `DaoAuthenticationProvider` looks up the `UserDetails` from the `UserDetailsService`.
|
||||||
|
|
||||||
image:{icondir}/number_4.png[] `DaoAuthenticationProvider` then uses the xref:servlet/authentication/unpwd/password-encoder.adoc#servlet-authentication-password-storage[`PasswordEncoder`] to validate the password on the `UserDetails` returned in the previous step.
|
image:{icondir}/number_4.png[] `DaoAuthenticationProvider` then uses the xref:servlet/authentication/passwords/password-encoder.adoc#servlet-authentication-password-storage[`PasswordEncoder`] to validate the password on the `UserDetails` returned in the previous step.
|
||||||
|
|
||||||
image:{icondir}/number_5.png[] When authentication is successful, the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[`Authentication`] that is returned is of type `UsernamePasswordAuthenticationToken` and has a principal that is the `UserDetails` returned by the configured `UserDetailsService`.
|
image:{icondir}/number_5.png[] When authentication is successful, the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[`Authentication`] that is returned is of type `UsernamePasswordAuthenticationToken` and has a principal that is the `UserDetails` returned by the configured `UserDetailsService`.
|
||||||
Ultimately, the returned `UsernamePasswordAuthenticationToken` will be set on the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[`SecurityContextHolder`] by the authentication `Filter`.
|
Ultimately, the returned `UsernamePasswordAuthenticationToken` will be set on the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[`SecurityContextHolder`] by the authentication `Filter`.
|
|
@ -11,7 +11,7 @@ All of these storage formats are considered insecure.
|
||||||
Instead, you should store credentials using a one way adaptive password hash (i.e. bCrypt, PBKDF2, SCrypt, etc) which is not supported by Digest Authentication.
|
Instead, you should store credentials using a one way adaptive password hash (i.e. bCrypt, PBKDF2, SCrypt, etc) which is not supported by Digest Authentication.
|
||||||
====
|
====
|
||||||
|
|
||||||
Digest Authentication attempts to solve many of the weaknesses of xref:servlet/authentication/unpwd/basic.adoc#servlet-authentication-basic[Basic authentication], specifically by ensuring credentials are never sent in clear text across the wire.
|
Digest Authentication attempts to solve many of the weaknesses of xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[Basic authentication], specifically by ensuring credentials are never sent in clear text across the wire.
|
||||||
Many https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Digest#Browser_compatibility[browsers support Digest Authentication].
|
Many https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Digest#Browser_compatibility[browsers support Digest Authentication].
|
||||||
|
|
||||||
The standard governing HTTP Digest Authentication is defined by https://tools.ietf.org/html/rfc2617[RFC 2617], which updates an earlier version of the Digest Authentication standard prescribed by https://tools.ietf.org/html/rfc2069[RFC 2069].
|
The standard governing HTTP Digest Authentication is defined by https://tools.ietf.org/html/rfc2617[RFC 2617], which updates an earlier version of the Digest Authentication standard prescribed by https://tools.ietf.org/html/rfc2069[RFC 2069].
|
|
@ -38,7 +38,7 @@ The figure builds off our xref:servlet/architecture.adoc#servlet-securityfilterc
|
||||||
image:{icondir}/number_1.png[] When the user submits their username and password, the `UsernamePasswordAuthenticationFilter` creates a `UsernamePasswordAuthenticationToken` which is a type of xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[`Authentication`] by extracting the username and password from the `HttpServletRequest`.
|
image:{icondir}/number_1.png[] When the user submits their username and password, the `UsernamePasswordAuthenticationFilter` creates a `UsernamePasswordAuthenticationToken` which is a type of xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[`Authentication`] by extracting the username and password from the `HttpServletRequest`.
|
||||||
|
|
||||||
image:{icondir}/number_2.png[] Next, the `UsernamePasswordAuthenticationToken` is passed into the `AuthenticationManager` to be authenticated.
|
image:{icondir}/number_2.png[] Next, the `UsernamePasswordAuthenticationToken` is passed into the `AuthenticationManager` to be authenticated.
|
||||||
The details of what `AuthenticationManager` looks like depend on how the xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-storage[user information is stored].
|
The details of what `AuthenticationManager` looks like depend on how the xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-storage[user information is stored].
|
||||||
|
|
||||||
image:{icondir}/number_3.png[] If authentication fails, then __Failure__
|
image:{icondir}/number_3.png[] If authentication fails, then __Failure__
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
[[servlet-authentication-inmemory]]
|
[[servlet-authentication-inmemory]]
|
||||||
= In-Memory Authentication
|
= In-Memory Authentication
|
||||||
|
|
||||||
Spring Security's `InMemoryUserDetailsManager` implements xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService] to provide support for username/password based authentication that is stored in memory.
|
Spring Security's `InMemoryUserDetailsManager` implements xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService] to provide support for username/password based authentication that is stored in memory.
|
||||||
`InMemoryUserDetailsManager` provides management of `UserDetails` by implementing the `UserDetailsManager` interface.
|
`InMemoryUserDetailsManager` provides management of `UserDetails` by implementing the `UserDetailsManager` interface.
|
||||||
`UserDetails` based authentication is used by Spring Security when it is configured to xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-input[accept a username/password] for authentication.
|
`UserDetails` based authentication is used by Spring Security when it is configured to xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-input[accept a username/password] for authentication.
|
||||||
|
|
||||||
In this sample we use xref:features/authentication/password-storage.adoc#authentication-password-storage-boot-cli[Spring Boot CLI] to encode the password of `password` and get the encoded password of `+{bcrypt}$2a$10$GRLdNijSQMUvl/au9ofL.eDwmoohzzS7.rmNSJZ.0FxO/BTk76klW+`.
|
In this sample we use xref:features/authentication/password-storage.adoc#authentication-password-storage-boot-cli[Spring Boot CLI] to encode the password of `password` and get the encoded password of `+{bcrypt}$2a$10$GRLdNijSQMUvl/au9ofL.eDwmoohzzS7.rmNSJZ.0FxO/BTk76klW+`.
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
[[servlet-authentication-unpwd]]
|
||||||
|
= Username/Password Authentication
|
||||||
|
:figures: images/servlet/authentication/unpwd
|
||||||
|
:icondir: images/icons
|
||||||
|
|
||||||
|
One of the most common ways to authenticate a user is by validating a username and password.
|
||||||
|
As such, Spring Security provides comprehensive support for authenticating with a username and password.
|
||||||
|
|
||||||
|
[[servlet-authentication-unpwd-input]]
|
||||||
|
== Reading the Username & Password
|
||||||
|
|
||||||
|
Spring Security provides the following built in mechanisms for reading a username and password from the `HttpServletRequest`:
|
||||||
|
|
||||||
|
* xref:servlet/authentication/passwords/form.adoc#servlet-authentication-form[Form Login]
|
||||||
|
* xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[Basic Authentication]
|
||||||
|
* xref:servlet/authentication/passwords/digest.adoc#servlet-authentication-digest[Digest Authentication]
|
||||||
|
|
||||||
|
[[servlet-authentication-unpwd-storage]]
|
||||||
|
== Storage Mechanisms
|
||||||
|
|
||||||
|
Each of the supported mechanisms for reading a username and password can leverage any of the supported storage mechanisms:
|
||||||
|
|
||||||
|
* Simple Storage with xref:servlet/authentication/passwords/in-memory.adoc#servlet-authentication-inmemory[In-Memory Authentication]
|
||||||
|
* Relational Databases with xref:servlet/authentication/passwords/jdbc.adoc#servlet-authentication-jdbc[JDBC Authentication]
|
||||||
|
* Custom data stores with xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService]
|
||||||
|
* LDAP storage with xref:servlet/authentication/passwords/ldap.adoc#servlet-authentication-ldap[LDAP Authentication]
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
[[servlet-authentication-jdbc]]
|
[[servlet-authentication-jdbc]]
|
||||||
= JDBC Authentication
|
= JDBC Authentication
|
||||||
|
|
||||||
Spring Security's `JdbcDaoImpl` implements xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService] to provide support for username/password based authentication that is retrieved using JDBC.
|
Spring Security's `JdbcDaoImpl` implements xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService] to provide support for username/password based authentication that is retrieved using JDBC.
|
||||||
`JdbcUserDetailsManager` extends `JdbcDaoImpl` to provide management of `UserDetails` through the `UserDetailsManager` interface.
|
`JdbcUserDetailsManager` extends `JdbcDaoImpl` to provide management of `UserDetails` through the `UserDetailsManager` interface.
|
||||||
`UserDetails` based authentication is used by Spring Security when it is configured to xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-input[accept a username/password] for authentication.
|
`UserDetails` based authentication is used by Spring Security when it is configured to xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-input[accept a username/password] for authentication.
|
||||||
|
|
||||||
In the following sections we will discuss:
|
In the following sections we will discuss:
|
||||||
|
|
||||||
|
@ -171,7 +171,7 @@ UserDetailsManager users(DataSource dataSource) {
|
||||||
JdbcUserDetailsManager users = new JdbcUserDetailsManager(dataSource);
|
JdbcUserDetailsManager users = new JdbcUserDetailsManager(dataSource);
|
||||||
users.createUser(user);
|
users.createUser(user);
|
||||||
users.createUser(admin);
|
users.createUser(admin);
|
||||||
return users;
|
return users;
|
||||||
}
|
}
|
||||||
----
|
----
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
LDAP is often used by organizations as a central repository for user information and as an authentication service.
|
LDAP is often used by organizations as a central repository for user information and as an authentication service.
|
||||||
It can also be used to store the role information for application users.
|
It can also be used to store the role information for application users.
|
||||||
|
|
||||||
Spring Security's LDAP based authentication is used by Spring Security when it is configured to xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-input[accept a username/password] for authentication.
|
Spring Security's LDAP based authentication is used by Spring Security when it is configured to xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-input[accept a username/password] for authentication.
|
||||||
However, despite leveraging a username/password for authentication it does not integrate using `UserDetailsService` because in <<servlet-authentication-ldap-bind,bind authentication>> the LDAP server does not return the password so the application cannot perform validation of the password.
|
However, despite leveraging a username/password for authentication it does not integrate using `UserDetailsService` because in <<servlet-authentication-ldap-bind,bind authentication>> the LDAP server does not return the password so the application cannot perform validation of the password.
|
||||||
|
|
||||||
There are many different scenarios for how an LDAP server may be configured so Spring Security's LDAP provider is fully configurable.
|
There are many different scenarios for how an LDAP server may be configured so Spring Security's LDAP provider is fully configurable.
|
||||||
|
@ -258,7 +258,7 @@ fun contextSource(container: UnboundIdContainer): ContextSource {
|
||||||
[[servlet-authentication-ldap-authentication]]
|
[[servlet-authentication-ldap-authentication]]
|
||||||
== Authentication
|
== Authentication
|
||||||
|
|
||||||
Spring Security's LDAP support does not use the xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService] because LDAP bind authentication does not allow clients to read the password or even a hashed version of the password.
|
Spring Security's LDAP support does not use the xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService] because LDAP bind authentication does not allow clients to read the password or even a hashed version of the password.
|
||||||
This means there is no way a password to be read and then authenticated by Spring Security.
|
This means there is no way a password to be read and then authenticated by Spring Security.
|
||||||
|
|
||||||
For this reason, LDAP support is implemented using the `LdapAuthenticator` interface.
|
For this reason, LDAP support is implemented using the `LdapAuthenticator` interface.
|
|
@ -1,8 +1,8 @@
|
||||||
[[servlet-authentication-userdetailsservice]]
|
[[servlet-authentication-userdetailsservice]]
|
||||||
= UserDetailsService
|
= UserDetailsService
|
||||||
|
|
||||||
{security-api-url}org/springframework/security/core/userdetails/UserDetailsService.html[`UserDetailsService`] is used by xref:servlet/authentication/unpwd/dao-authentication-provider.adoc#servlet-authentication-daoauthenticationprovider[`DaoAuthenticationProvider`] for retrieving a username, password, and other attributes for authenticating with a username and password.
|
{security-api-url}org/springframework/security/core/userdetails/UserDetailsService.html[`UserDetailsService`] is used by xref:servlet/authentication/passwords/dao-authentication-provider.adoc#servlet-authentication-daoauthenticationprovider[`DaoAuthenticationProvider`] for retrieving a username, password, and other attributes for authenticating with a username and password.
|
||||||
Spring Security provides xref:servlet/authentication/unpwd/in-memory.adoc#servlet-authentication-inmemory[in-memory] and xref:servlet/authentication/unpwd/jdbc.adoc#servlet-authentication-jdbc[JDBC] implementations of `UserDetailsService`.
|
Spring Security provides xref:servlet/authentication/passwords/in-memory.adoc#servlet-authentication-inmemory[in-memory] and xref:servlet/authentication/passwords/jdbc.adoc#servlet-authentication-jdbc[JDBC] implementations of `UserDetailsService`.
|
||||||
|
|
||||||
You can define custom authentication by exposing a custom `UserDetailsService` as a bean.
|
You can define custom authentication by exposing a custom `UserDetailsService` as a bean.
|
||||||
For example, the following will customize authentication assuming that `CustomUserDetailsService` implements `UserDetailsService`:
|
For example, the following will customize authentication assuming that `CustomUserDetailsService` implements `UserDetailsService`:
|
|
@ -0,0 +1,5 @@
|
||||||
|
[[servlet-authentication-userdetails]]
|
||||||
|
= UserDetails
|
||||||
|
|
||||||
|
{security-api-url}org/springframework/security/core/userdetails/UserDetails.html[`UserDetails`] is returned by the xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[`UserDetailsService`].
|
||||||
|
The xref:servlet/authentication/passwords/dao-authentication-provider.adoc#servlet-authentication-daoauthenticationprovider[`DaoAuthenticationProvider`] validates the `UserDetails` and then returns an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[`Authentication`] that has a principal that is the `UserDetails` returned by the configured `UserDetailsService`.
|
|
@ -1,27 +0,0 @@
|
||||||
[[servlet-authentication-unpwd]]
|
|
||||||
= Username/Password Authentication
|
|
||||||
:figures: images/servlet/authentication/unpwd
|
|
||||||
:icondir: images/icons
|
|
||||||
|
|
||||||
One of the most common ways to authenticate a user is by validating a username and password.
|
|
||||||
As such, Spring Security provides comprehensive support for authenticating with a username and password.
|
|
||||||
|
|
||||||
[[servlet-authentication-unpwd-input]]
|
|
||||||
== Reading the Username & Password
|
|
||||||
|
|
||||||
Spring Security provides the following built in mechanisms for reading a username and password from the `HttpServletRequest`:
|
|
||||||
|
|
||||||
* xref:servlet/authentication/unpwd/form.adoc#servlet-authentication-form[Form Login]
|
|
||||||
* xref:servlet/authentication/unpwd/basic.adoc#servlet-authentication-basic[Basic Authentication]
|
|
||||||
* xref:servlet/authentication/unpwd/digest.adoc#servlet-authentication-digest[Digest Authentication]
|
|
||||||
|
|
||||||
[[servlet-authentication-unpwd-storage]]
|
|
||||||
== Storage Mechanisms
|
|
||||||
|
|
||||||
Each of the supported mechanisms for reading a username and password can leverage any of the supported storage mechanisms:
|
|
||||||
|
|
||||||
* Simple Storage with xref:servlet/authentication/unpwd/in-memory.adoc#servlet-authentication-inmemory[In-Memory Authentication]
|
|
||||||
* Relational Databases with xref:servlet/authentication/unpwd/jdbc.adoc#servlet-authentication-jdbc[JDBC Authentication]
|
|
||||||
* Custom data stores with xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService]
|
|
||||||
* LDAP storage with xref:servlet/authentication/unpwd/ldap.adoc#servlet-authentication-ldap[LDAP Authentication]
|
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
[[servlet-authentication-userdetails]]
|
|
||||||
= UserDetails
|
|
||||||
|
|
||||||
{security-api-url}org/springframework/security/core/userdetails/UserDetails.html[`UserDetails`] is returned by the xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[`UserDetailsService`].
|
|
||||||
The xref:servlet/authentication/unpwd/dao-authentication-provider.adoc#servlet-authentication-daoauthenticationprovider[`DaoAuthenticationProvider`] validates the `UserDetails` and then returns an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[`Authentication`] that has a principal that is the `UserDetails` returned by the configured `UserDetailsService`.
|
|
|
@ -198,7 +198,7 @@ It's worth cross-checking this if you want to start understanding what the impor
|
||||||
|
|
||||||
The configuration above defines two users, their passwords and their roles within the application (which will be used for access control).
|
The configuration above defines two users, their passwords and their roles within the application (which will be used for access control).
|
||||||
It is also possible to load user information from a standard properties file using the `properties` attribute on `user-service`.
|
It is also possible to load user information from a standard properties file using the `properties` attribute on `user-service`.
|
||||||
See the section on xref:servlet/authentication/unpwd/in-memory.adoc#servlet-authentication-inmemory[in-memory authentication] for more details on the file format.
|
See the section on xref:servlet/authentication/passwords/in-memory.adoc#servlet-authentication-inmemory[in-memory authentication] for more details on the file format.
|
||||||
Using the `<authentication-provider>` element means that the user information will be used by the authentication manager to process authentication requests.
|
Using the `<authentication-provider>` element means that the user information will be used by the authentication manager to process authentication requests.
|
||||||
You can have multiple `<authentication-provider>` elements to define different authentication sources and each will be consulted in turn.
|
You can have multiple `<authentication-provider>` elements to define different authentication sources and each will be consulted in turn.
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,7 @@ Working samples for both {gh-samples-url}/servlet/spring-boot/java/oauth2/resour
|
||||||
====
|
====
|
||||||
|
|
||||||
Let's take a look at how Bearer Token Authentication works within Spring Security.
|
Let's take a look at how Bearer Token Authentication works within Spring Security.
|
||||||
First, we see that, like xref:servlet/authentication/unpwd/basic.adoc#servlet-authentication-basic[Basic Authentication], the https://tools.ietf.org/html/rfc7235#section-4.1[WWW-Authenticate] header is sent back to an unauthenticated client.
|
First, we see that, like xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[Basic Authentication], the https://tools.ietf.org/html/rfc7235#section-4.1[WWW-Authenticate] header is sent back to an unauthenticated client.
|
||||||
|
|
||||||
.Sending WWW-Authenticate Header
|
.Sending WWW-Authenticate Header
|
||||||
image::{figures}/bearerauthenticationentrypoint.png[]
|
image::{figures}/bearerauthenticationentrypoint.png[]
|
||||||
|
|
|
@ -1267,7 +1267,7 @@ open class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
<1> First, call the default converter, which extracts attributes and authorities from the response
|
<1> First, call the default converter, which extracts attributes and authorities from the response
|
||||||
<2> Second, call the xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[ `UserDetailsService`] using the relevant information
|
<2> Second, call the xref:servlet/authentication/passwords/user-details-service.adoc#servlet-authentication-userdetailsservice[ `UserDetailsService`] using the relevant information
|
||||||
<3> Third, return a custom authentication that includes the user details
|
<3> Third, return a custom authentication that includes the user details
|
||||||
|
|
||||||
[NOTE]
|
[NOTE]
|
||||||
|
|
|
@ -198,7 +198,7 @@ It's worth cross-checking this if you want to start understanding what the impor
|
||||||
|
|
||||||
The configuration above defines two users, their passwords and their roles within the application (which will be used for access control).
|
The configuration above defines two users, their passwords and their roles within the application (which will be used for access control).
|
||||||
It is also possible to load user information from a standard properties file using the `properties` attribute on `user-service`.
|
It is also possible to load user information from a standard properties file using the `properties` attribute on `user-service`.
|
||||||
See the section on xref:servlet/authentication/unpwd/in-memory.adoc#servlet-authentication-inmemory[in-memory authentication] for more details on the file format.
|
See the section on xref:servlet/authentication/passwords/in-memory.adoc#servlet-authentication-inmemory[in-memory authentication] for more details on the file format.
|
||||||
Using the `<authentication-provider>` element means that the user information will be used by the authentication manager to process authentication requests.
|
Using the `<authentication-provider>` element means that the user information will be used by the authentication manager to process authentication requests.
|
||||||
You can have multiple `<authentication-provider>` elements to define different authentication sources and each will be consulted in turn.
|
You can have multiple `<authentication-provider>` elements to define different authentication sources and each will be consulted in turn.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue