stackoom
  简体   繁体   中英

Understanding Spring's Authentication-object and the context of its creation

 原文  2018-08-15 07:00:12       java/ spring/ spring-security

Question

I am trying to get a grasp of Spring-Security and I currently have some trouble in understanding the Authentication-Object/Interface that has yet to be solved by the tutorials I found. So I would be thankful for clarification on the following aspects:

  1. Concerning the interface itself:

    1.1 Is it common to create an own implementation of the Authentication-Interface? 1.2 Would that be the place to implement a custom form of credentials?

  2. I have seen lots of examples that implement custom AuthenticationProvider but:

    2.1. where does the authenticate method get its Authentication parameter from? (I assume if I specify out of the box form-login in my config, this is the origin, but if I don't?) 2.2 Is it possible to provide my own source of Authentication-Objects to be used by a custom AuthenticationProvider?

Maybe I can better explain the last two bits by an example. Say I want to provide authentication via a triplet of information like username, password and the knowledge of the last two words of a poem that I give the first sentence of. So in this case my credentials would be extended from the usual user/pw scenario. Further I might want to have post-requests of a certain form as source for these credentials.

I hope this is not to vague. If I can do something to refine my question, tell me and I will try.

1 answers

solution1
 1 ACCPTED  2018-08-15 07:50:32

  1. It's possible to define a custom Authentication object given that you satisfy the contact specified by the interface. Although given your use case, extending UsernamePasswordAuthenticationToken may be more in line with what you are trying to achieve.

  2. The .authenticate(Authentication a) is called from the ProviderManger (a default implementation for AuthenticationManager . So when creating a custom AuthenticationProvider be sure to register it with the AuthenticationManager .

It is possible to provide your own source of Authentication objects. You can do this by setting up a filter.

You can peek at the default spring filter for form logins UsernamePasswordAuthenticationFilter since that would be closes to your use case.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Wrong Authentication-Object in Controller [Spring-Boot] Set Object's attributes on its creation Understanding flow of object creation Understanding effective object creation Understanding Spring context initialization order How to initialize bean's property to its name from Spring context? understanding spring 4 (spring-context) maven dependency Understanding authentication providers in Spring security string object creation and its constructor How to monitor Spring object creation?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM