Subject: Two ways to provide custom login/authentication
Author: WebSpider
In response to: Custom login -- Flow
Posted on: 07/10/2020 05:58:47 PM
user --------------- /app/list_resource
|
v
filter: DelegatingFilterProxy
|
v
<http form-login@login-page: /my_login (1)
|
v
Controller.login(String error, String logout)
|
v
View: login.jsp action="/where_?"
(user's input) -------------------> match (2) in xml? --no--> A: (custom process)
|
yes
|
v
B: processed by Spring: <authentication-manager>
|
As shown in the above flow chart, there are two possible routes to process authentication:
Route A: If "/where_?" in login.jsp does NOT match "/where_to_process_login" in xml configuration, the traffic is going to flow to custom process controller:
@RequestMapping(value = "/where_to_process_login_custom", method = RequestMethod.POST)
public ModelAndView login_process(@RequestParam String username, @RequestParam String password, HttpSession session){
/* your custom implementation here ... */
}
Route B: If "/where_?" in login.jsp does match "/where_to_process_login" in xml configuration, the traffic is going to flow to spring process and you can still add your own custom implementation by providing your own autentication-provider:
@Configuration
@EnableWebSecurity
public class DBSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
/* http.authorizeRequests.configuration ... */
}
// XML counterpart (if not defined here by WebSecurityConfigurerAdapter):
// <authentication-manager>
// <authentication-provider ref="customAuthenticationProvider" />
// </authentication-manager>
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
{
auth.authenticationProvider(
getAuthenticationProvider() // <-- your own provider here
);
}
@Bean
public DaoAuthenticationProvider getAuthenticationProvider(){
DaoAuthenticationProvider auth = new DaoAuthenticationProvider();
auth.setUserDetailsService(userDetailsService);
auth.setPasswordEncoder(passwordEncoder());
return auth;
}
@Bean
public BCryptPasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
}
>
> On 12/06/2017 03:17:43 AM
WebSpider wrote:
Ultimate goal: GET /app/list_resource
user -------------------- /app/list_resource -------------------------------------------------> protected resource
How to reach the goal: GET /app/list_resource
user --------------- /app/list_resource
|
v
filter: DelegatingFilterProxy
|
v
<http form-login@login-page: /my_login (1)
|
v
Controller.login(String error, String logout)
|
v
View: login.jsp action="/where_"
(user's input) -------------------> match (2) in xml? --no--> (custom process)
|
yes
|
v
processed by Spring: <authentication-manager>
|
succeed? --no--> /my_login?error (3)
|
yes
|
v
always-use-default-target (5) ==true? --no--> /app/list_resource -----> protected resource
|
yes
|
v
/welcome (4)
References: