Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Differences between AuthenticationProvider and AuthenticationEntryPoint

Tags:

java

spring

spring-security

Sorry guys, maybe a silly question.

But I need to implement some additional logic for authentication and authorization in my web app and I've not clear in mind where AuthenticationProvider and AuthenticationEntryPoint must be used.

Looking for some examples I somethimes find that an AuthenticationEntryPoint is omitted in security:http section.

But there are situations where also AuthenticationProvider is omitted (a default instance is provided by the framework?) and only a UserDetailsService implementation is needed.

Please, can you clarify some basic concepts?

like image 389
davioooh Avatar asked Jun 15 '26 04:06

davioooh

1 Answers

Short answer:

  1. Implement AuthenticationProvider in order to integrate your custom authentication scheme into Spring Security.
  2. Implement AccessDecisionVoter in order to integrate your custom authorization scheme into Spring Security. You might also need to implement a custom AccessDecisionManager in some particular cases, altough the bundled ones are typically enough.

Note that neither of those is web-specific, in contrast with AuthenticationEntryPoint, that is a part of Spring Security Web and not Spring Security Core. The main function of AuthenticationEntryPoint is to allow the framework to send some sort of "to access this resource you must authenticate first" notification from application server to web client. Most standard notifications are already implemented in Spring Security Web. For example:

  • BasicAuthenticationEntryPoint: This is used with Basic authentication. The "notification" is a HTTP 401 response.
  • LoginUrlAuthenticationEntryPoint: Your typical "redirect to login page" behaviour.
  • CasAuthenticationEntryPoint: Similar to the former, redirects to an enterprise-wide login page to perform SSO via CAS.
  • Http403ForbiddenEntryPoint: The notification is just an HTTP 403 response. This is useful when you use pre-authentication (such as client X.509 certificates) and the user credentials do not provide access.
  • ...

As you can see, unless your required behaviour is too specific, you should not need to provide your own implementation of AuthenticationEntryPoint.

like image 56
gpeche Avatar answered Jun 17 '26 17:06

gpeche
Sign in to Comment

Related questions

java.rmi.server.codebase not working on linux
JavaFX in commercial products [closed]
Is it a good design to use Google Guavas Predicates to decouple filter methods from classes [closed]
Eclipse junit test discovery
Java Generics :: failure to provide type safety?
Using Java 8 Supplier in streams to achieve lazy evaluation
Android - How to handle Firestore exceptions at user level?
ANTLR Nested Functions
How does "cancel query" work in SQL Developer
What is the correct 'Find Bug' update site to be used as Eclipse Plugin
How to prevent replay attacks when using token based authentification in an HTTP connection
Asynchronous client/server using java jeromq

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!