In the Part 1 of #SpringSecurity tutorial, we learned the difference between Authentication and Authorization. In Part 2, we created a Basic Authentication implementation was explained.
In this section, we will understand Spring Security Flow.
Above diagram show, how Spring Security works internally.
When the user enters the credentials, an authentication filter present in spring security framework intercepts the request.
After that it will try to convert the authentication details received from the user into an authentication object. This object is the base, where all the validation of user credentials will be validated in further steps.
Authentication Manager will identify what is the authentication provider that the request has to go. e.g we may use the database, oauth or ldap to validate the details.
All the business related logics (related to security e.g how to validate the details?) will be present in Authentication Provider. It in turn uses two other interfaces User Details Service and Password Encoder.
A User Details Service holds the user schema, like how my user details should look like. Password Encoder will tell how the password has to be encoded/ decrypted.
Once Authentication Provider validates the input using User Details Service and Password Encoder, it will be transfer the request to Authentication Manager, followed by Authentication Filter.
Now the authentication object, which we had initially send from the Authentication Filter will hold the information whether the user is valid or not, along with other details like authorities, roles etc.
The authentication filter will pass the authentication object to Security Context, where the details will be stored in the (Spring) container. This authentication object is given back to the browser, when the browser wants to send the request second time it Spring security will validate if the authentication object has valid token or not.
No comments:
Post a Comment