GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Extract AuthenticationEntryPoint Docs 

Closes gh-8003
pull/7925/head
Rob Winch 6 years ago
parent
6b0891b081
commit
052e103aed
2 changed files with 20 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      docs/manual/src/docs/asciidoc/_includes/servlet/architecture/core-filters.adoc
  2. 20
      docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/authentication-entry-point.adoc

8
docs/manual/src/docs/asciidoc/_includes/servlet/architecture/core-filters.adoc
Unescape View File

@ -3,14 +3,6 @@ @@ -3,14 +3,6 @@
There are some key filters which will always be used in a web application which uses Spring Security, so we'll look at these and their supporting classes and interfaces first.
We won't cover every feature, so be sure to look at the Javadoc for them if you want to get the complete picture.
[[auth-entry-point]]
=== AuthenticationEntryPoint
The `AuthenticationEntryPoint` will be called if the user requests a secure HTTP resource but they are not authenticated.
An appropriate `AuthenticationException` or `AccessDeniedException` will be thrown by a security interceptor further down the call stack, triggering the `commence` method on the entry point.
This does the job of presenting the appropriate response to the user so that authentication can begin.
The one we've used here is `LoginUrlAuthenticationEntryPoint`, which redirects the request to a different URL (typically a login page).
The actual implementation used will depend on the authentication mechanism you want to be used in your application.
[[access-denied-handler]]
=== AccessDeniedHandler

20
docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/authentication-entry-point.adoc
Unescape View File

@ -0,0 +1,20 @@ @@ -0,0 +1,20 @@
[[servlet-authentication-authenticationentrypoint]]
= Request Credentials with `AuthenticationEntryPoint`
{security-api-url}org/springframework/security/web/AuthenticationEntryPoint.html[`AuthenticationEntryPoint`] is used to send an HTTP response that requests credentials from a client.
Sometimes a client will proactively include credentials such as a username/password to request a resource.
In these cases, Spring Security does not need to provide an HTTP response that requests credentials from the client since they are already included.
In other cases, a client will make an unauthenticated request to a resource that they are not authorized to access.
In this case, an implementation of `AuthenticationEntryPoint` is used to request credentials from the client.
The `AuthenticationEntryPoint` implementation might perform a redirect to a log in page, respond with an https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate[WWW-Authenticate] header, etc.
[[servlet-authentication-authenticationentrypoint-example]]
To better understand how `AuthenticationEntryPoint` is used, let's take a look at a concrete example.
* First, a user makes an unauthenticated request to a resource that is not authorized.
Spring Security's <<servlet-authorization-filtersecurityinterceptor,`FilterSecurityInterceptor`>> indicate that the unauthenticated request is __Denied__.
* Since the request is __Denied__, <<servlet-exceptiontranslationfilter,`ExceptionTranslationFilter`>> handles the `AccessDeniedException` by first saving the request (so that it can be requested again after successful authentication) and then redirecting to the log in page with the configured `AuthenticationEntryPoint`.
* The browser will then request the log in page.
Something within the application, must <<servlet-authentication-form-custom,render the log in page>>.
Write Preview
Loading…
Cancel
Save