stackoom
  简体   繁体   中英

How does Spring Security redirect a user who is unauthenticated to an external login page (AWS Cognito)?

 原文  2021-11-30 16:16:32       spring-boot/ spring-security/ amazon-cognito

Question

I have developed a basic Spring boot service with Spring security with the following config

spring:
  security:
    oauth2:
      client:
        registration:
          cognito:
            clientId: yyyy
            clientSecret: xxxx
            scope: openid
            redirect-uri: http://localhost:8080/login/oauth2/code/cognito
            clientName: spring-sso
        provider:
          cognito:
            issuerUri: https://cognito-idp.eu-west-1.amazonaws.com/zzzzzzzzzz
            user-name-attribute: cognito:username

It all works fine, the user is redirected to AWS Cognito SSO page.

However I can't pinpoint where the logic for this redirect happens in Spring framework.

I enabled debug and can see a list of Security Filters that are called in the chain.

  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  CsrfFilter
  LogoutFilter
  OAuth2AuthorizationRequestRedirectFilter
  OAuth2LoginAuthenticationFilter
  DefaultLoginPageGeneratingFilter
  DefaultLogoutPageGeneratingFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor

I placed debug points on OAuth2AuthorizationRequestRedirectFilter , DefaultLoginPageGeneratingFilter and OAuth2LoginAuthenticationFilter but no success.

Where does the magic happen where it constructs the URL to send the user to SSO page:

If non authenticated user accessing secure page --> then redirect to SSO login page

The reason I am interested, is so I can determine if I can use the same library in an old Jakarta EE application or not.

1 answers

solution1
 1  2021-11-30 16:23:40

The interface responsible for redirecting an authenticated user in Spring Security is called AuthenticationEntryPoint . (I often found the name confusing, but the idea is that it's telling an unauthenticated user where to authenticate, ie find the "entry".)

As for the filter, look in the ExceptionTranslationFilter .

In the version that I'm currently looking at (5.3.4) it's in doFilter then handleSpringSecurityException then sendStartAuthentication , here authenticationEntryPoint.commence is called.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Security: Page does not redirect after login Redirect to different page after login based on user role with Spring Security Setup Spring security to redirect user to login page if not authenticated How redirect user to login page after try to execute ajax request if spring security session is timeout? Spring Boot + Security: How to redirect to unauthenticated index.html Integrating Spring Security with AWS Cognito Redirect to User_dashboard page after login based on user role with Spring Security Configuration Spring Security 404 page for unauthenticated users how i redirect to different jsp page(not redirect to login page) after my session timeout in spring boot security I want to see the login page first even any user want access any other page need to redirect to login page in spring security
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM