Form authentication process
Spring security's form authentication process is implemented by the org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter class. Before spring security 3.0, it was implemented in the AuthenticationProcessingFilter class.
Parameters in UsernamePasswordAuthenticationFilter:
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "j_username";//User name entered by user
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "j_password";//Password entered by user
public static final String SPRING_SECURITY_LAST_USERNAME_KEY = "SPRING_SECURITY_LAST_USERNAME";
private boolean postOnly = true;//Specify whether to submit by Post, and this class does not support post submission
When the filter chain is executed to UsernamePasswordAuthenticationFilter, the doFilter method of its parent class AbstractAuthenticationProcessingFilter will be called. In this method, the requiresAuthentication method is first executed to determine whether the uri is j_spring_security_check, if not, it is not an authentication operation, and if so, the user name and password are obtained for authentication. AbstractAuthenticationProcessingFilter will call the attemptAuthentication method of UsernamePasswordAuthenticationFilter for verification, and return an authenticated Authentication object if the verification is successful.
When performing authentication, the provider management providerMnager will be obtained, and its doAuthenticate method will be executed, and the authentication provider class will be used for authentication.
The first authentication provider class is:
org.springframework.security.authentication.AnonymousAuthenticationProvider, this class does not provide authentication
The second authentication provider class is:
org.springframework.security.authentication.dao.DaoAuthenticationProvider
The main authentication operations are performed in DaoAuthenticationProvider. First, the parent class of DaoAuthenticationProvider executes the authenticate method. This method requires an Authentication object obtained according to the user name. The authenticate method first determines whether there is this user in the buffer, and if not, executes the retrieveUser method of DaoAuthenticationProvider. This method executes its loadUserByUsername through the UserDetails configured in the configuration file and returns a UserDetails object. After that, in the additionalAuthenticationChecks method of DaoAuthenticationProvider, the returned UserDetails are verified by the isPasswordValid method in the PlaintextPasswordEncoder class.
If the above process does not throw an exception, the authentication is successful.
Spring security's form authentication process is implemented by the org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter class. Before spring security 3.0, it was implemented in the AuthenticationProcessingFilter class.
Parameters in UsernamePasswordAuthenticationFilter:
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "j_username";//User name entered by user
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "j_password";//Password entered by user
public static final String SPRING_SECURITY_LAST_USERNAME_KEY = "SPRING_SECURITY_LAST_USERNAME";
private boolean postOnly = true;//Specify whether to submit by Post, and this class does not support post submission
When the filter chain is executed to UsernamePasswordAuthenticationFilter, the doFilter method of its parent class AbstractAuthenticationProcessingFilter will be called. In this method, the requiresAuthentication method is first executed to determine whether the uri is j_spring_security_check, if not, it is not an authentication operation, and if so, the user name and password are obtained for authentication. AbstractAuthenticationProcessingFilter will call the attemptAuthentication method of UsernamePasswordAuthenticationFilter for verification, and return an authenticated Authentication object if the verification is successful.
When performing authentication, the provider management providerMnager will be obtained, and its doAuthenticate method will be executed, and the authentication provider class will be used for authentication.
The first authentication provider class is:
org.springframework.security.authentication.AnonymousAuthenticationProvider, this class does not provide authentication
The second authentication provider class is:
org.springframework.security.authentication.dao.DaoAuthenticationProvider
The main authentication operations are performed in DaoAuthenticationProvider. First, the parent class of DaoAuthenticationProvider executes the authenticate method. This method requires an Authentication object obtained according to the user name. The authenticate method first determines whether there is this user in the buffer, and if not, executes the retrieveUser method of DaoAuthenticationProvider. This method executes its loadUserByUsername through the UserDetails configured in the configuration file and returns a UserDetails object. After that, in the additionalAuthenticationChecks method of DaoAuthenticationProvider, the returned UserDetails are verified by the isPasswordValid method in the PlaintextPasswordEncoder class.
If the above process does not throw an exception, the authentication is successful.