|
1 | 1 | [[servlet-authentication-form]] |
2 | 2 | = Form Login |
| 3 | +:figures: images/servlet/authentication/unpwd |
| 4 | +:icondir: images/icons |
3 | 5 |
|
4 | 6 | Spring Security provides support for username and password being provided through an html form. |
5 | 7 | This section provides details on how form based authentication works within Spring Security. |
6 | 8 | // FIXME: describe authenticationentrypoint, authenticationfailurehandler, authenticationsuccesshandler |
7 | 9 |
|
8 | | -[[servlet-authentication-form-min]] |
9 | | -== Form Login Configuration |
| 10 | +Let's take a look at how form based log in works within Spring Security. |
| 11 | +First, we see how the user is redirected to the log in form. |
| 12 | + |
| 13 | +.Redirecting to the Log In Page |
| 14 | +image::{figures}/request-credentials.png[] |
| 15 | + |
| 16 | +The figure builds off our <<servlet-securityfilterchain,`SecurityFilterChain`>> diagram. |
| 17 | + |
| 18 | +image:{icondir}/number_1.png[] First, a user makes an unauthenticated request to the resource `/private` for which it is not authorized. |
| 19 | + |
| 20 | +image:{icondir}/number_2.png[] Spring Security's <<servlet-authorization-filtersecurityinterceptor,`FilterSecurityInterceptor`>> indicates that the unauthenticated request is __Denied__ by throwing an `AccessDeniedException`. |
| 21 | + |
| 22 | +image:{icondir}/number_3.png[] Since the user is not authenticated, <<servlet-exceptiontranslationfilter,`ExceptionTranslationFilter`>> initiates __Start Authentication__ and sends a redirect to the log in page with the configured <<servlet-authentication-authenticationentrypoint,`AuthenticationEntryPoint`>>. |
| 23 | +In most cases the `AuthenticationEntryPoint` is an instance of {security-api-url}org/springframework/security/web/authentication/LoginUrlAuthenticationEntryPoint.html[`LoginUrlAuthenticationEntryPoint`]. |
| 24 | + |
| 25 | +image:{icondir}/number_4.png[] The browser will then request the log in page that it was redirected to. |
| 26 | + |
| 27 | +image:{icondir}/number_5.png[] Something within the application, must <<servlet-authentication-form-custom,render the log in page>>. |
| 28 | + |
| 29 | +[[servlet-authentication-usernamepasswordauthenticationfilter]] |
| 30 | +When the username and password are submitted, the `UsernamePasswordAuthenticationFilter` authenticates the username and password. |
| 31 | +The `UsernamePasswordAuthenticationFilter` extends <<servlet-authentication-abstractprocessingfilter>>, so this diagram should look pretty similar. |
| 32 | + |
| 33 | +.Authenticating Username and Password |
| 34 | +image::{figures}/usernamepasswordauthenticationfilter.png[] |
10 | 35 |
|
| 36 | +The figure builds off our <<servlet-securityfilterchain,`SecurityFilterChain`>> diagram. |
| 37 | + |
| 38 | + |
| 39 | +image:{icondir}/number_1.png[] When the user submits their username and password, the `UsernamePasswordAuthenticationFilter` creates a `UsernamePasswordAuthenticationToken` which is a type of <<servlet-authentication-authentication,`Authentication`>> by extracting the username and password from the `HttpServletRequest`. |
| 40 | + |
| 41 | +image:{icondir}/number_2.png[] Next, the `UsernamePasswordAuthenticationToken` is passed into the `AuthenticationManager` to be authenticated. |
| 42 | +The details of what `AuthenticationManager` look like depend on how the <<servlet-authentication-unpwd-storage,user information is stored>>. |
| 43 | + |
| 44 | +image:{icondir}/number_3.png[] If authentication fails, then __Failure__ |
| 45 | + |
| 46 | +* The <<servlet-authentication-securitycontextholder>> is cleared out. |
| 47 | +* `RememberMeServices.loginFail` is invoked. |
| 48 | +If remember me is not configured, this is a no-op. |
| 49 | +// FIXME: link to rememberme |
| 50 | +* `AuthenticationFailureHandler` is invoked. |
| 51 | +// FIXME: link to AuthenticationFailureHandler |
| 52 | + |
| 53 | +image:{icondir}/number_4.png[] If authentication is successful, then __Success__. |
| 54 | + |
| 55 | +* `SessionAuthenticationStrategy` is notified of a new log in. |
| 56 | +// FIXME: Add link to SessionAuthenticationStrategy |
| 57 | +* The <<servlet-authentication-authentication>> is set on the <<servlet-authentication-securitycontextholder>>. |
| 58 | +// FIXME: link securitycontextpersistencefilter |
| 59 | +* `RememberMeServices.loginSuccess` is invoked. |
| 60 | +If remember me is not configured, this is a no-op. |
| 61 | +// FIXME: link to rememberme |
| 62 | +* `ApplicationEventPublisher` publishes an `InteractiveAuthenticationSuccessEvent`. |
| 63 | +* The `AuthenticationSuccessHandler` is invoked. Typically this is a `SimpleUrlAuthenticationSuccessHandler` which will redirect to a request saved by <<servlet-exceptiontranslationfilter,`ExceptionTranslationFilter`>> when we redirect to the log in page. |
| 64 | + |
| 65 | +[[servlet-authentication-form-min]] |
11 | 66 | Spring Security form log in is enabled by default. |
12 | 67 | However, as soon as any servlet based configuration is provided, form based log in must be explicitly provided. |
13 | 68 | A minimal, explicit Java configuration can be found below: |
14 | 69 |
|
15 | | -.Form Log |
| 70 | +.Form Log In |
16 | 71 | ==== |
17 | 72 | .Java |
18 | 73 | [source,java,role="primary"] |
@@ -49,8 +104,6 @@ In this configuration Spring Security will render a default log in page. |
49 | 104 | Most production applications will require a custom log in form. |
50 | 105 |
|
51 | 106 | [[servlet-authentication-form-custom]] |
52 | | -== Custom Log In Form |
53 | | - |
54 | 107 | The configuration below demonstrates how to provide a custom log in form. |
55 | 108 |
|
56 | 109 | .Custom Log In Form Configuration |
|
0 commit comments