Menu
I have the following bean defined:
<sec:authentication-manager alias="authenticationManager"> <sec:authentication-provider user-service-ref="userDetailsService" /> </sec:authentication-manager> I guess here Spring uses some default implementation of AuthenticationManager.
In my Java code I have:
@Resource(name = "authenticationManager") private AuthenticationManager authenticationManager; // specific for Spring Security public boolean login(String username, String password) { try { Authentication authenticate = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password)); if (authenticate.isAuthenticated()) { SecurityContextHolder.getContext().setAuthentication(authenticate); return true; } } catch (AuthenticationException e) { } return false; } Here AuthenticationManager.authenticate(...) is called. But I would like to know which implementation of AuthenticationManager Spring uses by default, and what its authenticate(...) does in order to authenticate (i.e., make sure that username matches password).
Could you explain this?
482
Spring Boot provides a default global AuthenticationManager (with only one user) unless you pre-empt it by providing your own bean of type AuthenticationManager . The default is secure enough on its own for you not to have to worry about it much, unless you actively need a custom global AuthenticationManager .
There are multiple filters in spring security out of which one is the Authentication Filter, which initiates the process of authentication. Once the request passes through the authentication filter, the credentials of the user are stored in the Authentication object.
The default URL where the Spring Login will POST to trigger the authentication process is /login, which used to be /j_spring_security_check before Spring Security 4.
The AuthenticationManager is really just a container for authentication providers, giving a consistent interface to them all. In most cases, the default AuthenticationManager is more than sufficient.
When you call
.authenticate(new UsernamePasswordAuthenticationToken(username, password))` it is passing the UsernamePasswordAuthenticationToken to the default AuthenticationProvider, which will use the userDetailsService to get the user based on username and compare that user's password with the one in the authentication token.
In general, the AuthenticationManager passes some sort of AuthenticationToken to the each of it's AuthenticationProviders and they each inspect it and, if they can use it to authenticate, they return with an indication of "Authenticated", "Unauthenticated", or "Could not authenticate" (which indicates the provider did not know how to handle the token, so it passed on processing it)
This is the mechanism that allows you to plug in other authentication schemes, like authenticating against an LDAP or Active Directory server, or OpenID, and is one of the main extension points within the Spring Security framework.
97
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
