8

Sorry guys, maybe a silly question.

But I need to implement some additional logic for authentication and authorization in my web app and I've not clear in mind where AuthenticationProvider and AuthenticationEntryPoint must be used.

Looking for some examples I somethimes find that an AuthenticationEntryPoint is omitted in security:http section.

But there are situations where also AuthenticationProvider is omitted (a default instance is provided by the framework?) and only a UserDetailsService implementation is needed.

Please, can you clarify some basic concepts?

davioooh
  • 23,742
  • 39
  • 159
  • 250

1 Answers1

14

Short answer:

  1. Implement AuthenticationProvider in order to integrate your custom authentication scheme into Spring Security.
  2. Implement AccessDecisionVoter in order to integrate your custom authorization scheme into Spring Security. You might also need to implement a custom AccessDecisionManager in some particular cases, altough the bundled ones are typically enough.

Note that neither of those is web-specific, in contrast with AuthenticationEntryPoint, that is a part of Spring Security Web and not Spring Security Core. The main function of AuthenticationEntryPoint is to allow the framework to send some sort of "to access this resource you must authenticate first" notification from application server to web client. Most standard notifications are already implemented in Spring Security Web. For example:

As you can see, unless your required behaviour is too specific, you should not need to provide your own implementation of AuthenticationEntryPoint.

gpeche
  • 21,974
  • 5
  • 38
  • 51