mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-23 04:22:17 +00:00
Remove Duplicate Docs
This commit is contained in:
Rob Winch
parent
f4d032a762
commit
ec61462566
@ -27,7 +27,7 @@ The positions of the standard filters are fixed (see
|
||||
You can, of course, still do this if you need full control of the configuration.
|
||||
|
||||
|
||||
All filters which require a reference to the `AuthenticationManager` will be automatically injected with the internal instance created by the namespace configuration (see the <<ns-auth-manager,introductory chapter>> for more on the `AuthenticationManager`).
|
||||
All filters which require a reference to the <<servlet-authentication-authenticationmanager,`AuthenticationManager`>> will be automatically injected with the internal instance created by the namespace configuration.
|
||||
|
||||
Each `<http>` namespace block always creates an `SecurityContextPersistenceFilter`, an `ExceptionTranslationFilter` and a `FilterSecurityInterceptor`.
|
||||
These are fixed and cannot be replaced with alternatives.
|
||||
@ -2033,7 +2033,6 @@ All elements which create `AuthenticationProvider` instances should be children
|
||||
[[nsa-authentication-manager-alias]]
|
||||
* **alias**
|
||||
This attribute allows you to define an alias name for the internal instance for use in your own configuration.
|
||||
Its use is described in the <<ns-auth-manager,namespace introduction>>.
|
||||
|
||||
|
||||
[[nsa-authentication-manager-erase-credentials]]
|
||||
@ -2062,7 +2061,7 @@ It is the same as the alias element, but provides a more consistent experience w
|
||||
Unless used with a `ref` attribute, this element is shorthand for configuring a <<core-services-dao-provider,DaoAuthenticationProvider>>.
|
||||
`DaoAuthenticationProvider` loads user information from a `UserDetailsService` and compares the username/password combination with the values supplied at login.
|
||||
The `UserDetailsService` instance can be defined either by using an available namespace element (`jdbc-user-service` or by using the `user-service-ref` attribute to point to a bean defined elsewhere in the application context).
|
||||
You can find examples of these variations in the <<ns-auth-providers,namespace introduction>>.
|
||||
|
||||
|
||||
|
||||
[[nsa-authentication-provider-parents]]
|
||||
|
||||
@ -0,0 +1,6 @@
|
||||
[[servlet-authentication-authenticationprovider]]
|
||||
= AuthenticationProvider
|
||||
|
||||
Multiple {security-api-url}org/springframework/security/authentication/AuthenticationProvider.html[``AuthenticationProvider``s] can be injected into <<servlet-authentication-providermanager,`ProviderManager`>>.
|
||||
Each `AuthenticationProvider` performs a specific type of authentication.
|
||||
For example, `DaoAuthenticationProvider` supports username/password based authentication while `JwtAuthenticationProvider` supports authenticating a JWT token.
|
||||
@ -6,14 +6,17 @@ include::authentication.adoc[leveloffset=+1]
|
||||
|
||||
include::granted-authority.adoc[leveloffset=+1]
|
||||
|
||||
include::authentication-entry-point.adoc[leveloffset=+1]
|
||||
|
||||
include::abstract-authentication-processing-filter.adoc[leveloffset=+1]
|
||||
|
||||
include::authentication-manager.adoc[leveloffset=+1]
|
||||
|
||||
include::provider-manager.adoc[leveloffset=+1]
|
||||
|
||||
// authenticationprovider
|
||||
include::authentication-provider.adoc[leveloffset=+1]
|
||||
|
||||
include::authentication-entry-point.adoc[leveloffset=+1]
|
||||
|
||||
// FIXME: authenticationsuccesshandler
|
||||
// FIXME: authenticationfailurehandler
|
||||
|
||||
include::abstract-authentication-processing-filter.adoc[leveloffset=+1]
|
||||
|
||||
// daoauthenticationprovider (goes in username/password)
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
:figures: images/servlet/authentication/architecture
|
||||
|
||||
{security-api-url}org/springframework/security/authentication/ProviderManager.html[`ProviderManager`] is the most commonly used implementation of <<servlet-authentication-authenticationmanager,`AuthenticationManager`>>.
|
||||
`ProviderManager` delegates to a `List` of ``AuthenticationProvider``s.
|
||||
`ProviderManager` delegates to a `List` of <<servlet-authentication-authenticationprovider,``AuthenticationProvider``s>>.
|
||||
// FIXME: link to AuthenticationProvider
|
||||
Each `AuthenticationProvider` has an opportunity to indicate that authentication should be successful, fail, or indicate it cannot make a decision and allow a downstream `AuthenticationProvider` to decide.
|
||||
If none of the configured ``AuthenticationProvider``s can authenticate, then authentication will fail with a `ProviderNotFoundException` which is a special `AuthenticationException` that indicates the `ProviderManager` was not configured support the type of `Authentication` that was passed into it.
|
||||
|
||||
@ -1,7 +0,0 @@
|
||||
[[ns-entry-point-ref]]
|
||||
== Setting a Custom AuthenticationEntryPoint
|
||||
If you aren't using form login, OpenID or basic authentication through the namespace, you may want to define an authentication filter and entry point using a traditional bean syntax and link them into the namespace, as we've just seen.
|
||||
The corresponding `AuthenticationEntryPoint` can be set using the `entry-point-ref` attribute on the `<http>` element.
|
||||
|
||||
The CAS sample application is a good example of the use of custom beans with the namespace, including this syntax.
|
||||
If you aren't familiar with authentication entry points, they are discussed in the <<tech-intro-auth-entry-point,technical overview>> chapter.
|
||||
@ -1,38 +0,0 @@
|
||||
[[ns-auth-manager]]
|
||||
== The Authentication Manager and the Namespace
|
||||
The main interface which provides authentication services in Spring Security is the `AuthenticationManager`.
|
||||
This is usually an instance of Spring Security's `ProviderManager` class, which you may already be familiar with if you've used the framework before.
|
||||
If not, it will be covered later, in the <<tech-intro-authentication,technical overview chapter>>.
|
||||
The bean instance is registered using the `authentication-manager` namespace element.
|
||||
You can't use a custom `AuthenticationManager` if you are using either HTTP or method security through the namespace, but this should not be a problem as you have full control over the `AuthenticationProvider` s that are used.
|
||||
|
||||
You may want to register additional `AuthenticationProvider` beans with the `ProviderManager` and you can do this using the `<authentication-provider>` element with the `ref` attribute, where the value of the attribute is the name of the provider bean you want to add.
|
||||
For example:
|
||||
|
||||
[source,xml]
|
||||
----
|
||||
<authentication-manager>
|
||||
<authentication-provider ref="casAuthenticationProvider"/>
|
||||
</authentication-manager>
|
||||
|
||||
<bean id="casAuthenticationProvider"
|
||||
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
|
||||
...
|
||||
</bean>
|
||||
----
|
||||
|
||||
Another common requirement is that another bean in the context may require a reference to the `AuthenticationManager`.
|
||||
You can easily register an alias for the `AuthenticationManager` and use this name elsewhere in your application context.
|
||||
|
||||
[source,xml]
|
||||
----
|
||||
<security:authentication-manager alias="authenticationManager">
|
||||
...
|
||||
</security:authentication-manager>
|
||||
|
||||
<bean id="customizedFormLoginFilter"
|
||||
class="com.somecompany.security.web.CustomFormLoginFilter">
|
||||
<property name="authenticationManager" ref="authenticationManager"/>
|
||||
...
|
||||
</bean>
|
||||
----
|
||||
@ -1,73 +0,0 @@
|
||||
[[jc-authentication-authenticationprovider]]
|
||||
== AuthenticationProvider
|
||||
|
||||
=== AuthenticationProvider Java Configuration
|
||||
You can define custom authentication by exposing a custom `AuthenticationProvider` as a bean.
|
||||
For example, the following will customize authentication assuming that `SpringAuthenticationProvider` implements `AuthenticationProvider`:
|
||||
|
||||
NOTE: This is only used if the `AuthenticationManagerBuilder` has not been populated
|
||||
|
||||
[source,java]
|
||||
----
|
||||
@Bean
|
||||
public SpringAuthenticationProvider springAuthenticationProvider() {
|
||||
return new SpringAuthenticationProvider();
|
||||
}
|
||||
----
|
||||
|
||||
[[ns-auth-providers]]
|
||||
=== AuthenticationProvider XML Configuration
|
||||
In practice you will need a more scalable source of user information than a few names added to the application context file.
|
||||
Most likely you will want to store your user information in something like a database or an LDAP server.
|
||||
LDAP namespace configuration is dealt with in the <<servlet-authentication-ldap,LDAP chapter>>, so we won't cover it here.
|
||||
If you have a custom implementation of Spring Security's `UserDetailsService`, called "myUserDetailsService" in your application context, then you can authenticate against this using
|
||||
|
||||
[source,xml]
|
||||
----
|
||||
|
||||
<authentication-manager>
|
||||
<authentication-provider user-service-ref='myUserDetailsService'/>
|
||||
</authentication-manager>
|
||||
|
||||
----
|
||||
|
||||
If you want to use a database, then you can use
|
||||
|
||||
[source,xml]
|
||||
----
|
||||
<authentication-manager>
|
||||
<authentication-provider>
|
||||
<jdbc-user-service data-source-ref="securityDataSource"/>
|
||||
</authentication-provider>
|
||||
</authentication-manager>
|
||||
----
|
||||
|
||||
Where "securityDataSource" is the name of a `DataSource` bean in the application context, pointing at a database containing the standard Spring Security <<user-schema,user data tables>>.
|
||||
Alternatively, you could configure a Spring Security `JdbcDaoImpl` bean and point at that using the `user-service-ref` attribute:
|
||||
|
||||
[source,xml]
|
||||
----
|
||||
<authentication-manager>
|
||||
<authentication-provider user-service-ref='myUserDetailsService'/>
|
||||
</authentication-manager>
|
||||
|
||||
<beans:bean id="myUserDetailsService"
|
||||
class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
|
||||
<beans:property name="dataSource" ref="dataSource"/>
|
||||
</beans:bean>
|
||||
----
|
||||
|
||||
You can also use standard `AuthenticationProvider` beans as follows
|
||||
|
||||
[source,xml]
|
||||
----
|
||||
|
||||
<authentication-manager>
|
||||
<authentication-provider ref='myAuthenticationProvider'/>
|
||||
</authentication-manager>
|
||||
|
||||
----
|
||||
|
||||
where `myAuthenticationProvider` is the name of a bean in your application context which implements `AuthenticationProvider`.
|
||||
You can use multiple `authentication-provider` elements, in which case the providers will be queried in the order they are declared.
|
||||
See <<ns-auth-manager>> for more information on how the Spring Security `AuthenticationManager` is configured using the namespace.
|
||||
@ -139,7 +139,7 @@ The following beans should be configured to commence the CAS authentication proc
|
||||
----
|
||||
|
||||
For CAS to operate, the `ExceptionTranslationFilter` must have its `authenticationEntryPoint` property set to the `CasAuthenticationEntryPoint` bean.
|
||||
This can easily be done using <<ns-entry-point-ref,entry-point-ref>> as is done in the example above.
|
||||
This can easily be done using <<nsa-http-entry-point-ref,entry-point-ref>> as is done in the example above.
|
||||
The `CasAuthenticationEntryPoint` must refer to the `ServiceProperties` bean (discussed above), which provides the URL to the enterprise's CAS login server.
|
||||
This is where the user's browser will be redirected.
|
||||
|
||||
|
||||
@ -15,11 +15,12 @@ If you need concrete flows that explain how these pieces fit together, look in s
|
||||
* <<servlet-authentication-securitycontext>> - is obtained from the `SecurityContextHolder` and contains the `Authentication` of the currently authenticated user.
|
||||
* <<servlet-authentication-authentication>> - Can be the input to `AuthenticationManager` to provide the credentials a user has provided to authenticate or the current user from the `SecurityContext`.
|
||||
* <<servlet-authentication-granted-authority>> - An authority that is granted to the principal on the `Authentication` (i.e. roles, scopes, etc.)
|
||||
* <<servlet-authentication-authenticationmanager>> - the API that defines how Spring Security's Filters perform <<authentication,authentication>>.
|
||||
* <<servlet-authentication-providermanager>> - the most common implementation of `AuthenticationManager`.
|
||||
* <<servlet-authentication-authenticationprovider>> - used by `ProviderManager` to perform a specific type of authentication.
|
||||
* <<servlet-authentication-authenticationentrypoint>> - used for requesting credentials from a client (i.e. redirecting to a log in page, sending a `WWW-Authenticate` response, etc.)
|
||||
* <<servlet-authentication-abstractprocessingfilter>> - a base `Filter` used for authentication.
|
||||
This also gives a good idea of the high level flow of authentication and how pieces work together.
|
||||
* <<servlet-authentication-authenticationmanager>> - the API that defines how Spring Security's Filters perform <<authentication,authentication>>.
|
||||
* <<servlet-authentication-providermanager>> - the most common implementation of `AuthenticationManager`.
|
||||
|
||||
[[servlet-authentication-mechanisms]]
|
||||
*Authentication Mechanisms*
|
||||
@ -34,10 +35,6 @@ include::architecture/index.adoc[]
|
||||
|
||||
include::unpwd/index.adoc[leveloffset=+1]
|
||||
|
||||
include::authentication-provider.adoc[]
|
||||
|
||||
include::authentication-manager.adoc[]
|
||||
|
||||
include::session-management.adoc[]
|
||||
|
||||
include::rememberme.adoc[]
|
||||
@ -58,4 +55,3 @@ include::runas.adoc[]
|
||||
|
||||
include::logout.adoc[]
|
||||
|
||||
include::authentication-entry-point.adoc[]
|
||||
|
||||
@ -19,7 +19,6 @@ You should then register yourself with an OpenID provider (such as myopenid.com)
|
||||
|
||||
You should be able to login using the `myopenid.com` site to authenticate.
|
||||
It is also possible to select a specific `UserDetailsService` bean for use OpenID by setting the `user-service-ref` attribute on the `openid-login` element.
|
||||
See the previous section on <<ns-auth-providers,authentication providers>> for more information.
|
||||
Note that we have omitted the password attribute from the above user configuration, since this set of user data is only being used to load the authorities for the user.
|
||||
A random password will be generated internally, preventing you from accidentally using this user data as an authentication source elsewhere in your configuration.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user