Authentication hooks

[alexbudarov]

CUBA had the following authentication-related hooks:
https://doc.cuba-platform.com/manual-7.2/login.html#login_events

• BeforeAuthenticationEvent / AfterAuthenticationEvent
• BeforeLoginEvent / AfterLoginEvent. Samples:
  https://www.cuba-platform.com/discuss/t/exception-in-service-when-invoked-from-authenticationeventlistener/13689/11
  https://www.cuba-platform.com/discuss/t/timed-access-control-for-non-back-office-users/12812
  https://www.cuba-platform.com/discuss/t/avoid-same-user-login-in-same-time-rest/4969/3
• AuthenticationSuccessEvent / AuthenticationFailureEvent
  https://www.cuba-platform.com/discuss/t/set-custom-session-attribute-after-successful-login/7425
• UserLoggedInEvent / UserLoggedOutEvent
  https://www.cuba-platform.com/discuss/t/access-groups-why-only-one-per-user/12329/29
• UserSubstitutedEvent

Let's take a look what analogues we provide in Jmix.

• UserSubstitutedEvent - user substitution feature isn't yet implemented in Jmix
• AuthenticationSuccessEvent - org.springframework.security.authentication.event.AuthenticationSuccessEvent
• AuthenticationFailureEvent - org.springframework.security.authentication.event.AbstractAuthenticationFailureEvent
• UserLoggedOutEvent - org.springframework.security.authentication.event.LogoutSuccessEvent

No analogues in spring-security for:

• BeforeAuthenticationEvent and BeforeLoginEvent - useful hook to prevent logging in before asking providers.
• AfterAuthenticationEvent and AfterLoginEvent - These listeners are triggered for both positive and negative result. Not sure if they are useful. For preventing login with already loaded from DB user AuthenticationSuccessEvent can be used.
• UserLoggedInEvent - reliably "successully logged in" event. Can be used for various reaction in business apps. The only analogue I see is io.jmix.sessions.events.JmixSessionCreatedEvent from jmix-sessions.

According to https://stackoverflow.com/a/34298831/2032468, AuthenticationSuccessEvent doesn't always mean successful login.

Also as I see by Baeldung's example: https://www.baeldung.com/spring-security-restrict-authentication-by-geography

the standard spring security's way for pre/post authentication hooks are these methods:
org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider#setPreAuthenticationChecks
org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider#setPostAuthenticationChecks

So it looks like we need to provide a way of specifying preAuthenticationChecks / postAuthenticationChecks in a project without overriding the whole io.jmix.security.authentication.SecuredAuthenticationProvider.

[andreysubbotin]

CUBA events sequences: https://doc.cuba-platform.com/manual-7.2/login.html
CUBA Events mapping:

• AuthenticationSuccessEvent. The event is fired after the user is successfully authenticated. Mapped to AuthenticationSuccessEvent
• AuthenticationFailureEvent. The event is fired if the user authentication failed. Mapped to AbstractAuthenticationFailureEvent
• BeforeLoginEvent/BeforeAuthenticationEvent. The event is fired before login/authentication procedure. No direct analogs. Use pre/post custom UserDetailsChecker that fires PreAuthenticationCheckEvent/PostAuthenticationCheckEvent events
• AfterLoginEvent/AfterAuthenticationEvent. The event is fired after the user is logged in or login failed. No direct analogs.
• UserLoggedInEvent. The event is published after the user is logged in and the user session is completely
  initialized and stored in user sessions storage. No direct analogs. Use Spring Security InteractiveAuthenticationSuccessEvent that is fired from BackendUI/RememberMe service after authentication by login/password or remember me token. Fire the event when the user authenticates through REST.