Last week I started to look into what would be required to get Amazon S3 type of message authentication integrated with Spring Security. While I am nowhere even close to getting it done yet, I aim to keep track of my efforts through my blog.
Filters and AuthenticationProviders
A couple of conclusions from browsing the source code and documentation. It seems that - in general - there is a contract between an
Now, looking a little further, it turns out that the
Looking a little further, I find out that the
Filters and AuthenticationProviders
A couple of conclusions from browsing the source code and documentation. It seems that - in general - there is a contract between an
AuthenticationProvider and a filter, which could be a SpringSecurityFilter that defines a little bit more template code for what it normally is expected to do. In general, the filter should prepare an authentication request implementing the Authentication interface, and then leave it up to the AuthenticationManager to do the actual authentication. The AuthenticationManager manages a collection of AuthenticationProviders, and every AuthenticationProvider gets a chance to see if - given the authentication data passed in - it is able to perform authentication. AuthenticationProviders can register their interest for particular types of Authentication objects only.Now, looking a little further, it turns out that the
DigestProcessingFilter doesn't actually use the AuthenticationManager, nor an AuthenticationProvider implementation. It performs the whole task itself, and once succeeded, it sets the Authentication request as the authentication on the SecurityContextHolder. What I don't get though, is that this way the isAuthenticated() operation on that will always return false. There must be something that flips it over to true, but I just can't find it.Looking a little further, I find out that the
isAuthenticated() operation is actually expected to return false if the Authentication is expected to be processed by the AuthenticationManager. But hold on, didn't I see the BasicProcessingFilter calling the AuthenticationManager itself? It turns out it does. I don't understand it. Why would you have one filter interacting with the AuthenticationManager directly, and the other expecting the other things further down the chain to interact with it?
1 comments:
Post a Comment