You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: SpringBoot Security.md
+106Lines changed: 106 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1250,11 +1250,117 @@ Disabling csrf
1250
1250
> - As per Spring Security 6+ the recommended hash function is **BCrypt**. If in future if this BcryptPasswordEncoder has becomes weak, then obviously Spring Security team is going to move on to the more advanced password encoder and they're going to make that as a default one.
1251
1251
1252
1252
1253
+
## Custom Authentication Provider
1253
1254
1255
+
- Uptil now we have used the in-build Authentication provider (**DaoAuthenticationProvider**) to authenticate user by loading the details from database. So with the help of **UserDetailsService** , **DaoAuthenticationProvider** authenticates the user is valid or or not.
1256
+
- The **DaoAuthenticationProvider** is an implementation of **AuthenticationProvider** that uses a **UserDetailsService** to retrieve user details from a data source (like a database). When a user tries to authenticate (e.g., by logging in), the **DaoAuthenticationProvider**:
1257
+
- Uses the **UserDetailsService** to load the user details (such as username, password, and roles) from the database.
1258
+
- Compares the provided credentials (e.g., the password entered by the user) with the stored credentials in the database.
1259
+
- If the credentials match, the user is authenticated successfully.
1260
+
- This process ensures that only valid users with correct credentials can access protected resources in your application.
1254
1261
1262
+
- What if you wanna have your own custom authentication provider? , lets say suppose you wanna authenticate based on country location? or based on age? , lets say you are building a website and you have alternative ways like user can register via Gmail, meta or any other third party . Lets say you wanna also implement OAuth ? so you need to customized your authentication provider.
1263
+
- In such case , you need to have multiple authentication providers, but how will you manage those authentication providers? for that we will have layer called **ProviderManager**, but how the **ProviderManager** knows which authentication provider to call when the user tries to access the protected pages? like when user is login via gmail call the gmail authentication provider, if user is tries to login via meta then call the meta authentication provider? , the **ProviderManager** will come to know about it based on the **Type of Authentication Object**.
1255
1264
1256
1265
1266
+
1257
1267
1268
+
- Before we try to implement our own **AuthenticationProvider** , first lets try to understand about how it works?
1269
+
1270
+
1271
+
1272
+
- The **AuthenticationProvider** consist of two methods `authenticate()` and `supports()`. Lets try to understand these methods.
1273
+
- `authenticate(Authentication authentication)`: This method attempts to authenticate the user based on the provided Authentication object (e.g., containing the username and password). If successful, it returns a fully authenticated Authentication object. If authentication fails, it can throw an exception.
1274
+
- `supports(Class<?> authentication)`: This method checks whether the **AuthenticationProvider** can handle the given type of Authentication object. For example, **DaoAuthenticationProvider** typically supports **UsernamePasswordAuthenticationToken**.
1275
+
1276
+
- The **UsernamePasswordAuthenticationFilter** is a Spring Security filter that intercepts login requests (usually HTTP POST requests to /login) and attempts to authenticate the user using the provided username and password. This filter:
1277
+
- Creates an Authentication object (usually **UsernamePasswordAuthenticationToken**) using the provided username and password.
1278
+
Passes this Authentication object to the **AuthenticationManager** for authentication.
1279
+
- The **ProviderManager** is the default implementation of **AuthenticationManager** in Spring Security.
1280
+
1281
+
1282
+
1283
+
- **ProviderManager** holds a list of **AuthenticationProviders**.
1284
+
- When its `authenticate()` method is called (e.g., by **UsernamePasswordAuthenticationFilter**), it iterates through its list of **AuthenticationProviders**.
1285
+
- For each **AuthenticationProvider**, it checks if it supports the **type of Authentication object (using the supports() method)**.
1286
+
- Once it finds a suitable **AuthenticationProvider**, it calls its authenticate() method.
1287
+
- If authentication is successful, it returns the authenticated Authentication object; otherwise, it tries the next provider or throws an exception if no provider can authenticate the user.
1288
+
1289
+
- Lets create a custom authentication method. **Your custom authentication should be a bean thats why it is important to annotate it with `@Component`**.
0 commit comments