I have developed a basic Spring boot service with Spring security with the following config
spring:
security:
oauth2:
client:
registration:
cognito:
clientId: yyyy
clientSecret: xxxx
scope: openid
redirect-uri: http://localhost:8080/login/oauth2/code/cognito
clientName: spring-sso
provider:
cognito:
issuerUri: https://cognito-idp.eu-west-1.amazonaws.com/zzzzzzzzzz
user-name-attribute: cognito:username
It all works fine, the user is redirected to AWS Cognito SSO page.
However I can't pinpoint where the logic for this redirect happens in Spring framework.
I enabled debug and can see a list of Security Filters that are called in the chain.
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
OAuth2AuthorizationRequestRedirectFilter
OAuth2LoginAuthenticationFilter
DefaultLoginPageGeneratingFilter
DefaultLogoutPageGeneratingFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
I placed debug points on OAuth2AuthorizationRequestRedirectFilter
, DefaultLoginPageGeneratingFilter
and OAuth2LoginAuthenticationFilter
but no success.
Where does the magic happen where it constructs the URL to send the user to SSO page:
If non authenticated user accessing secure page --> then redirect to SSO login page
The reason I am interested, is so I can determine if I can use the same library in an old Jakarta EE application or not.
The interface responsible for redirecting an authenticated user in Spring Security is called AuthenticationEntryPoint
. (I often found the name confusing, but the idea is that it's telling an unauthenticated user where to authenticate, ie find the "entry".)
As for the filter, look in the ExceptionTranslationFilter
.
In the version that I'm currently looking at (5.3.4) it's in doFilter
then handleSpringSecurityException
then sendStartAuthentication
, here authenticationEntryPoint.commence
is called.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.