diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc index 39b653a2d2..9b98f761d9 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc @@ -27,7 +27,7 @@ The positions of the standard filters are fixed (see You can, of course, still do this if you need full control of the configuration. -All filters which require a reference to the `AuthenticationManager` will be automatically injected with the internal instance created by the namespace configuration (see the <> for more on the `AuthenticationManager`). +All filters which require a reference to the <> will be automatically injected with the internal instance created by the namespace configuration. Each `` namespace block always creates an `SecurityContextPersistenceFilter`, an `ExceptionTranslationFilter` and a `FilterSecurityInterceptor`. These are fixed and cannot be replaced with alternatives. @@ -2033,7 +2033,6 @@ All elements which create `AuthenticationProvider` instances should be children [[nsa-authentication-manager-alias]] * **alias** This attribute allows you to define an alias name for the internal instance for use in your own configuration. -Its use is described in the <>. [[nsa-authentication-manager-erase-credentials]] @@ -2062,7 +2061,7 @@ It is the same as the alias element, but provides a more consistent experience w Unless used with a `ref` attribute, this element is shorthand for configuring a <>. `DaoAuthenticationProvider` loads user information from a `UserDetailsService` and compares the username/password combination with the values supplied at login. The `UserDetailsService` instance can be defined either by using an available namespace element (`jdbc-user-service` or by using the `user-service-ref` attribute to point to a bean defined elsewhere in the application context). -You can find examples of these variations in the <>. + [[nsa-authentication-provider-parents]] diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/authentication-provider.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/authentication-provider.adoc new file mode 100644 index 0000000000..ab44bb9fc0 --- /dev/null +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/authentication-provider.adoc @@ -0,0 +1,6 @@ +[[servlet-authentication-authenticationprovider]] += AuthenticationProvider + +Multiple {security-api-url}org/springframework/security/authentication/AuthenticationProvider.html[``AuthenticationProvider``s] can be injected into <>. +Each `AuthenticationProvider` performs a specific type of authentication. +For example, `DaoAuthenticationProvider` supports username/password based authentication while `JwtAuthenticationProvider` supports authenticating a JWT token. diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/index.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/index.adoc index d50c286dcc..4df295e609 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/index.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/index.adoc @@ -6,14 +6,17 @@ include::authentication.adoc[leveloffset=+1] include::granted-authority.adoc[leveloffset=+1] -include::authentication-entry-point.adoc[leveloffset=+1] - -include::abstract-authentication-processing-filter.adoc[leveloffset=+1] - include::authentication-manager.adoc[leveloffset=+1] include::provider-manager.adoc[leveloffset=+1] -// authenticationprovider +include::authentication-provider.adoc[leveloffset=+1] + +include::authentication-entry-point.adoc[leveloffset=+1] + +// FIXME: authenticationsuccesshandler +// FIXME: authenticationfailurehandler + +include::abstract-authentication-processing-filter.adoc[leveloffset=+1] // daoauthenticationprovider (goes in username/password) diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/provider-manager.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/provider-manager.adoc index 98535aef47..1075eed6c1 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/provider-manager.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/provider-manager.adoc @@ -3,7 +3,7 @@ :figures: images/servlet/authentication/architecture {security-api-url}org/springframework/security/authentication/ProviderManager.html[`ProviderManager`] is the most commonly used implementation of <>. -`ProviderManager` delegates to a `List` of ``AuthenticationProvider``s. +`ProviderManager` delegates to a `List` of <>. // FIXME: link to AuthenticationProvider Each `AuthenticationProvider` has an opportunity to indicate that authentication should be successful, fail, or indicate it cannot make a decision and allow a downstream `AuthenticationProvider` to decide. If none of the configured ``AuthenticationProvider``s can authenticate, then authentication will fail with a `ProviderNotFoundException` which is a special `AuthenticationException` that indicates the `ProviderManager` was not configured support the type of `Authentication` that was passed into it. diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/authentication-entry-point.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/authentication-entry-point.adoc deleted file mode 100644 index 833dd79b87..0000000000 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/authentication-entry-point.adoc +++ /dev/null @@ -1,7 +0,0 @@ -[[ns-entry-point-ref]] -== Setting a Custom AuthenticationEntryPoint -If you aren't using form login, OpenID or basic authentication through the namespace, you may want to define an authentication filter and entry point using a traditional bean syntax and link them into the namespace, as we've just seen. -The corresponding `AuthenticationEntryPoint` can be set using the `entry-point-ref` attribute on the `` element. - -The CAS sample application is a good example of the use of custom beans with the namespace, including this syntax. -If you aren't familiar with authentication entry points, they are discussed in the <> chapter. diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/authentication-manager.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/authentication-manager.adoc deleted file mode 100644 index 4cdff1e782..0000000000 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/authentication-manager.adoc +++ /dev/null @@ -1,38 +0,0 @@ -[[ns-auth-manager]] -== The Authentication Manager and the Namespace -The main interface which provides authentication services in Spring Security is the `AuthenticationManager`. -This is usually an instance of Spring Security's `ProviderManager` class, which you may already be familiar with if you've used the framework before. -If not, it will be covered later, in the <>. -The bean instance is registered using the `authentication-manager` namespace element. -You can't use a custom `AuthenticationManager` if you are using either HTTP or method security through the namespace, but this should not be a problem as you have full control over the `AuthenticationProvider` s that are used. - -You may want to register additional `AuthenticationProvider` beans with the `ProviderManager` and you can do this using the `` element with the `ref` attribute, where the value of the attribute is the name of the provider bean you want to add. -For example: - -[source,xml] ----- - - - - - -... - ----- - -Another common requirement is that another bean in the context may require a reference to the `AuthenticationManager`. -You can easily register an alias for the `AuthenticationManager` and use this name elsewhere in your application context. - -[source,xml] ----- - -... - - - - -... - ----- diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/authentication-provider.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/authentication-provider.adoc deleted file mode 100644 index 6446addd71..0000000000 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/authentication-provider.adoc +++ /dev/null @@ -1,73 +0,0 @@ -[[jc-authentication-authenticationprovider]] -== AuthenticationProvider - -=== AuthenticationProvider Java Configuration -You can define custom authentication by exposing a custom `AuthenticationProvider` as a bean. -For example, the following will customize authentication assuming that `SpringAuthenticationProvider` implements `AuthenticationProvider`: - -NOTE: This is only used if the `AuthenticationManagerBuilder` has not been populated - -[source,java] ----- -@Bean -public SpringAuthenticationProvider springAuthenticationProvider() { - return new SpringAuthenticationProvider(); -} ----- - -[[ns-auth-providers]] -=== AuthenticationProvider XML Configuration -In practice you will need a more scalable source of user information than a few names added to the application context file. -Most likely you will want to store your user information in something like a database or an LDAP server. -LDAP namespace configuration is dealt with in the <>, so we won't cover it here. -If you have a custom implementation of Spring Security's `UserDetailsService`, called "myUserDetailsService" in your application context, then you can authenticate against this using - -[source,xml] ----- - - - - - ----- - -If you want to use a database, then you can use - -[source,xml] ----- - - - - - ----- - -Where "securityDataSource" is the name of a `DataSource` bean in the application context, pointing at a database containing the standard Spring Security <>. -Alternatively, you could configure a Spring Security `JdbcDaoImpl` bean and point at that using the `user-service-ref` attribute: - -[source,xml] ----- - - - - - - - ----- - -You can also use standard `AuthenticationProvider` beans as follows - -[source,xml] ----- - - - - - ----- - -where `myAuthenticationProvider` is the name of a bean in your application context which implements `AuthenticationProvider`. -You can use multiple `authentication-provider` elements, in which case the providers will be queried in the order they are declared. -See <> for more information on how the Spring Security `AuthenticationManager` is configured using the namespace. diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/cas.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/cas.adoc index f60f024ef4..baf7f24625 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/cas.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/cas.adoc @@ -139,7 +139,7 @@ The following beans should be configured to commence the CAS authentication proc ---- For CAS to operate, the `ExceptionTranslationFilter` must have its `authenticationEntryPoint` property set to the `CasAuthenticationEntryPoint` bean. -This can easily be done using <> as is done in the example above. +This can easily be done using <> as is done in the example above. The `CasAuthenticationEntryPoint` must refer to the `ServiceProperties` bean (discussed above), which provides the URL to the enterprise's CAS login server. This is where the user's browser will be redirected. diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc index 664b90768a..6fedf88ecf 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc @@ -15,11 +15,12 @@ If you need concrete flows that explain how these pieces fit together, look in s * <> - is obtained from the `SecurityContextHolder` and contains the `Authentication` of the currently authenticated user. * <> - Can be the input to `AuthenticationManager` to provide the credentials a user has provided to authenticate or the current user from the `SecurityContext`. * <> - An authority that is granted to the principal on the `Authentication` (i.e. roles, scopes, etc.) +* <> - the API that defines how Spring Security's Filters perform <>. +* <> - the most common implementation of `AuthenticationManager`. +* <> - used by `ProviderManager` to perform a specific type of authentication. * <> - used for requesting credentials from a client (i.e. redirecting to a log in page, sending a `WWW-Authenticate` response, etc.) * <> - a base `Filter` used for authentication. This also gives a good idea of the high level flow of authentication and how pieces work together. -* <> - the API that defines how Spring Security's Filters perform <>. -* <> - the most common implementation of `AuthenticationManager`. [[servlet-authentication-mechanisms]] *Authentication Mechanisms* @@ -34,10 +35,6 @@ include::architecture/index.adoc[] include::unpwd/index.adoc[leveloffset=+1] -include::authentication-provider.adoc[] - -include::authentication-manager.adoc[] - include::session-management.adoc[] include::rememberme.adoc[] @@ -58,4 +55,3 @@ include::runas.adoc[] include::logout.adoc[] -include::authentication-entry-point.adoc[] diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/openid.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/openid.adoc index eaf2756f6c..a16dc638ec 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/openid.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/openid.adoc @@ -19,7 +19,6 @@ You should then register yourself with an OpenID provider (such as myopenid.com) You should be able to login using the `myopenid.com` site to authenticate. It is also possible to select a specific `UserDetailsService` bean for use OpenID by setting the `user-service-ref` attribute on the `openid-login` element. -See the previous section on <> for more information. Note that we have omitted the password attribute from the above user configuration, since this set of user data is only being used to load the authorities for the user. A random password will be generated internally, preventing you from accidentally using this user data as an authentication source elsewhere in your configuration.