Reputation: 24706
Differences between AuthenticationProvider and AuthenticationEntryPoint
Sorry guys, maybe a silly question.
But I need to implement some additional logic for authentication and authorization in my web app and I've not clear in mind where AuthenticationProvider and AuthenticationEntryPoint must be used.
Looking for some examples I somethimes find that an AuthenticationEntryPoint is omitted in security:http section.
But there are situations where also AuthenticationProvider is omitted (a default instance is provided by the framework?) and only a UserDetailsService implementation is needed.
Please, can you clarify some basic concepts?
Upvotes: 8
Views: 3536
Answers (1)
Reputation: 22514
Short answer:
- Implement
AuthenticationProviderin order to integrate your custom authentication scheme into Spring Security. - Implement
AccessDecisionVoterin order to integrate your custom authorization scheme into Spring Security. You might also need to implement a customAccessDecisionManagerin some particular cases, altough the bundled ones are typically enough.
Note that neither of those is web-specific, in contrast with AuthenticationEntryPoint, that is a part of Spring Security Web and not Spring Security Core. The main function of AuthenticationEntryPoint is to allow the framework to send some sort of "to access this resource you must authenticate first" notification from application server to web client. Most standard notifications are already implemented in Spring Security Web. For example:
BasicAuthenticationEntryPoint: This is used with Basic authentication. The "notification" is a HTTP 401 response.LoginUrlAuthenticationEntryPoint: Your typical "redirect to login page" behaviour.CasAuthenticationEntryPoint: Similar to the former, redirects to an enterprise-wide login page to perform SSO via CAS.Http403ForbiddenEntryPoint: The notification is just an HTTP 403 response. This is useful when you use pre-authentication (such as client X.509 certificates) and the user credentials do not provide access.- ...
As you can see, unless your required behaviour is too specific, you should not need to provide your own implementation of AuthenticationEntryPoint.
Upvotes: 14
Related Questions
- Spring Security what is the difference between Authorization Manager and AccessDecisionManager?
- how to implement AuthenticationEntryPoint and AuthenticationProvider together in spring security
- spring security AuthenticationManager vs AuthenticationProvider?
- Difference between AuthorizationServerConfigurerAdapter vs WebSecurityConfigurerAdapter
- What is the difference between registering an authenticationprovider with HttpSecurity vs AuthenticationManagerBuilder in Spring Security?
- Spring Security Custom Authentication - AuthenticationProvider vs UserDetailsService
- Difference between AuthenticationManagerBuilder and HttpSecurity.authenticationProvider
- Difference in AuthenticationManager and AuthenticationProvider Authenticate method in Spring Security
- Difference between AuthenticationProvider and AbstractUserDetailsAuthenticationProvider
- Understanding authentication providers in Spring security