Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-02-25 17:06:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
spring-security/docs/modules/ROOT/pages/servlet/appendix/namespace/authentication-manager.adoc
Rob Winch 2471e3296d Fix xsd tests
2021-12-13 17:38:22 -06:00

293 lines
8.5 KiB
Plaintext
Raw Blame History

[[nsa-authentication]]
= Authentication Services
Before Spring Security 3.0, an `AuthenticationManager` was automatically registered internally.
Now you must register one explicitly using the `<authentication-manager>` element.
This creates an instance of Spring Security's `ProviderManager` class, which needs to be configured with a list of one or more `AuthenticationProvider` instances.
These can either be created using syntax elements provided by the namespace, or they can be standard bean definitions, marked for addition to the list using the `authentication-provider` element.
[[nsa-authentication-manager]]
== <authentication-manager>
Every Spring Security application which uses the namespace must have include this element somewhere.
It is responsible for registering the `AuthenticationManager` which provides authentication services to the application.
All elements which create `AuthenticationProvider` instances should be children of this element.
[[nsa-authentication-manager-attributes]]
=== <authentication-manager> Attributes
[[nsa-authentication-manager-alias]]
* **alias**
This attribute allows you to define an alias name for the internal instance for use in your own configuration.
[[nsa-authentication-manager-erase-credentials]]
* **erase-credentials**
If set to true, the AuthenticationManager will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated.
Literally it maps to the `eraseCredentialsAfterAuthentication` property of the xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager[`ProviderManager`].
[[nsa-authentication-manager-id]]
* **id**
This attribute allows you to define an id for the internal instance for use in your own configuration.
It is the same as the alias element, but provides a more consistent experience with elements that use the id attribute.
[[nsa-authentication-manager-children]]
=== Child Elements of <authentication-manager>
* <<nsa-authentication-provider,authentication-provider>>
* xref:servlet/appendix/namespace/ldap.adoc#nsa-ldap-authentication-provider[ldap-authentication-provider]
[[nsa-authentication-provider]]
== <authentication-provider>
Unless used with a `ref` attribute, this element is shorthand for configuring a `DaoAuthenticationProvider`.
`DaoAuthenticationProvider` loads user information from a `UserDetailsService` and compares the username/password combination with the values supplied at login.
The `UserDetailsService` instance can be defined either by using an available namespace element (`jdbc-user-service` or by using the `user-service-ref` attribute to point to a bean defined elsewhere in the application context).
[[nsa-authentication-provider-parents]]
=== Parent Elements of <authentication-provider>
* <<nsa-authentication-manager,authentication-manager>>
[[nsa-authentication-provider-attributes]]
=== <authentication-provider> Attributes
[[nsa-authentication-provider-ref]]
* **ref**
Defines a reference to a Spring bean that implements `AuthenticationProvider`.
If you have written your own `AuthenticationProvider` implementation (or want to configure one of Spring Security's own implementations as a traditional bean for some reason, then you can use the following syntax to add it to the internal list of `ProviderManager`:
[source,xml]
----
<security:authentication-manager>
<security:authentication-provider ref="myAuthenticationProvider" />
</security:authentication-manager>
<bean id="myAuthenticationProvider" class="com.something.MyAuthenticationProvider"/>
----
[[nsa-authentication-provider-user-service-ref]]
* **user-service-ref**
A reference to a bean that implements UserDetailsService that may be created using the standard bean element or the custom user-service element.
[[nsa-authentication-provider-children]]
=== Child Elements of <authentication-provider>
* <<nsa-jdbc-user-service,jdbc-user-service>>
* xref:servlet/appendix/namespace/ldap.adoc#nsa-ldap-user-service[ldap-user-service]
* <<nsa-password-encoder,password-encoder>>
* <<nsa-user-service,user-service>>
[[nsa-jdbc-user-service]]
== <jdbc-user-service>
Causes creation of a JDBC-based UserDetailsService.
[[nsa-jdbc-user-service-attributes]]
=== <jdbc-user-service> Attributes
[[nsa-jdbc-user-service-authorities-by-username-query]]
* **authorities-by-username-query**
An SQL statement to query for a user's granted authorities given a username.
The default is
[source]
----
select username, authority from authorities where username = ?
----
[[nsa-jdbc-user-service-cache-ref]]
* **cache-ref**
Defines a reference to a cache for use with a UserDetailsService.
[[nsa-jdbc-user-service-data-source-ref]]
* **data-source-ref**
The bean ID of the DataSource which provides the required tables.
[[nsa-jdbc-user-service-group-authorities-by-username-query]]
* **group-authorities-by-username-query**
An SQL statement to query user's group authorities given a username.
The default is
+
[source]
----
select
g.id, g.group_name, ga.authority
from
groups g, group_members gm, group_authorities ga
where
gm.username = ? and g.id = ga.group_id and g.id = gm.group_id
----
[[nsa-jdbc-user-service-id]]
* **id**
A bean identifier, used for referring to the bean elsewhere in the context.
[[nsa-jdbc-user-service-role-prefix]]
* **role-prefix**
A non-empty string prefix that will be added to role strings loaded from persistent storage (default is "ROLE_").
Use the value "none" for no prefix in cases where the default is non-empty.
[[nsa-jdbc-user-service-users-by-username-query]]
* **users-by-username-query**
An SQL statement to query a username, password, and enabled status given a username.
The default is
+
[source]
----
select username, password, enabled from users where username = ?
----
[[nsa-password-encoder]]
== <password-encoder>
Authentication providers can optionally be configured to use a password encoder as described in the xref:features/authentication/password-storage.adoc#authentication-password-storage[Password Storage].
This will result in the bean being injected with the appropriate `PasswordEncoder` instance.
[[nsa-password-encoder-parents]]
=== Parent Elements of <password-encoder>
* <<nsa-authentication-provider,authentication-provider>>
* xref:servlet/appendix/namespace/authentication-manager.adoc#nsa-password-compare[password-compare]
[[nsa-password-encoder-attributes]]
=== <password-encoder> Attributes
[[nsa-password-encoder-hash]]
* **hash**
Defines the hashing algorithm used on user passwords.
We recommend strongly against using MD4, as it is a very weak hashing algorithm.
[[nsa-password-encoder-ref]]
* **ref**
Defines a reference to a Spring bean that implements `PasswordEncoder`.
[[nsa-user-service]]
== <user-service>
Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements.
Usernames are converted to lower-case internally to allow for case-insensitive lookups, so this should not be used if case-sensitivity is required.
[[nsa-user-service-attributes]]
=== <user-service> Attributes
[[nsa-user-service-id]]
* **id**
A bean identifier, used for referring to the bean elsewhere in the context.
[[nsa-user-service-properties]]
* **properties**
The location of a Properties file where each line is in the format of
+
[source]
----
username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]
----
[[nsa-user-service-children]]
=== Child Elements of <user-service>
* <<nsa-user,user>>
[[nsa-user]]
== <user>
Represents a user in the application.
[[nsa-user-parents]]
=== Parent Elements of <user>
* <<nsa-user-service,user-service>>
[[nsa-user-attributes]]
=== <user> Attributes
[[nsa-user-authorities]]
* **authorities**
One of more authorities granted to the user.
Separate authorities with a comma (but no space).
For example, "ROLE_USER,ROLE_ADMINISTRATOR"
[[nsa-user-disabled]]
* **disabled**
Can be set to "true" to mark an account as disabled and unusable.
[[nsa-user-locked]]
* **locked**
Can be set to "true" to mark an account as locked and unusable.
[[nsa-user-name]]
* **name**
The username assigned to the user.
[[nsa-user-password]]
* **password**
The password assigned to the user.
This may be hashed if the corresponding authentication provider supports hashing (remember to set the "hash" attribute of the "user-service" element).
This attribute be omitted in the case where the data will not be used for authentication, but only for accessing authorities.
If omitted, the namespace will generate a random value, preventing its accidental use for authentication.
Cannot be empty.
Reference in New Issue View Git Blame Copy Permalink