1
1
.
.
6
6
M
M
a
a
n
n
u
u
a
a
l
l
A
A
u
u
t
t
h
h
e
e
n
n
t
t
i
i
c
c
a
a
t
t
i
i
o
o
n
n
I
I
n
n
f
f
o
o
Manual Authentication simply means to store Authentication inside Context
● create an Instance of a Class that Implements Authentication Interface (like UsernamePasswordAuthenticationToken)
● call setAuthenticated(true) on it
● store Authorities into it
● store that Instance into Context (by calling setAuthentication(returnedAuth))
For each subsequent HTTP Request Spring
● will get Authentication Object from the Context
● check that isAuthenticated() == true
● get Authorities from it
● use those Authorities to control access to Controller Endpoints
Session Based Authentication is used when Application uses Session. Then
● Authentication is stored into Context only once
● and for each subsequent HTTP Request Spring can get Authentication automatically from the Context/Session
Filter Based Authentication is used when Application doesn't use Session. Then
● Authentication is stored into Context for each HTTP Request
● inside Filter
● which gets executed before Spring gets to the Controller
● so that when Spring gets to the Controller it can get Authentication from the Context
● and use Authorities from it to control access to Controller Endpoints
I
I
m
m
p
p
l
l
e
e
m
m
e
e
n
n
t
t
i
i
n
n
g
g
M
M
a
a
n
n
u
u
a
a
l
l
A
A
u
u
t
t
h
h
e
e
n
n
t
t
i
i
c
c
a
a
t
t
i
i
o
o
n
n
Both Session and Filter Based Manual Authentication is implemented in the same way.
The only difference is from where the code is called and how many times.
We will implement Manual Authentication inside authenticate() Method of AuthenticationManager Interface
For that purpose we will create Class MyAuthenticationManager that implements AuthenticationManager Interface.
We will use two instances of UsernamePasswordAuthenticationToken Class that Implements Authentication Interface
● first as Input Parameter for authenticate() Method - when it will only contain entered Username and Password
● secondly as Return Value of authenticate() Method - when it will also contain Authorities & setAuthenticated(true)
Implementing Manual Authentication
setAuthenticated(false)
setAuthenticated(true)
Context/Session
setAuthentication(auth)
Authentication
(User, Pass, Authorities)
Authentication
(Username, Password)
AuthenticationManager
authenticate()
Inside Controller or Filter
@Autowired MyAuthenticationManager myAuthenticationManager;
//AUTHENTICATE
Authentication enteredAuth = new UsernamePasswordAuthenticationToken(enteredUsername, enteredPassword);
Authentication returnedAuth = myAuthenticationManager.authenticate(enteredAuth);
//STORE AUTHENTICATION INTO CONTEXT (SESSION)
SecurityContextHolder.getContext().setAuthentication(returnedAuth);
MyAuthenticationManager.java
@Component
public class MyAuthenticationManager implements AuthenticationManager {
@Override
public Authentication authenticate(Authentication enteredAuthentication) {
//HARD CODED USER
String username = "myuser";
String password = "mypassword";
String role = "ROLE_USER";
//GET ENTERED CREDENTIALS
String enteredUsername = (String) enteredAuthentication.getPrincipal(); //USERNAME
String enteredPassword = (String) enteredAuthentication.getCredentials(); //PASSWORD
//AUTHENTICATE USER
if (!enteredUsername.equals(username)) { System.out.println("Username not found"); return null; }
if (!enteredPassword.equals(password)) { System.out.println("Incorrect Password"); return null; }
//CREATE AUTHORITIES
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(new SimpleGrantedAuthority(role));
//CREATE VALIDATED AUTHENTICATION
Authentication validatedAuthentication = new
UsernamePasswordAuthenticationToken(username,password,authorities);
//RETURN VALIDATES AUTHENTICATION
return validatedAuthentication;
}
}
