|
| 1 | += AbstractAuthenticationProcessingFilter |
| 2 | +:figures: images/servlet/authentication/architecture |
| 3 | +:icondir: images/icons |
| 4 | + |
| 5 | +{security-api-url}org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.html[`AbstractAuthenticationProcessingFilter`] is used as a base `Filter` for authenticating a user's credentials. |
| 6 | +Before the credentials can be authenticated, Spring Security typically requests the credentials using <<servlet-authentication-authenticationentrypoint,`AuthenticationEntryPoint`>>. |
| 7 | + |
| 8 | +Next, the `AbstractAuthenticationProcessingFilter` can authenticate any authentication requests that are submitted to it. |
| 9 | + |
| 10 | +image::{figures}/abstractauthenticationprocessingfilter.png[] |
| 11 | + |
| 12 | +image:{icondir}/number_1.png[] When the user submits their credentials, the `AbstractAuthenticationProcessingFilter` creates an <<servlet-authentication>> from the `HttpServletRequest` to be authenticated. |
| 13 | +The type of `Authentication` created depends on the subclass of `AbstractAuthenticationProcessingFilter`. |
| 14 | +For example, `UsernamePasswordAuthenticationFilter` creates a `UsernamePasswordAuthenticationToken` from a __username__ and __password__ that are submitted in the `HttpServletRequest`. |
| 15 | +// FIXME: link UsernamePasswordAuthenticationFilter |
| 16 | + |
| 17 | +image:{icondir}/number_2.png[] Next, the `Authentication` is passed into the `AuthenticationManager` to be authenticated. |
| 18 | +// FIXME: link to AuthenticationManager |
| 19 | + |
| 20 | +image:{icondir}/number_3.png[] If authentication fails, then __Failure__ |
| 21 | + |
| 22 | +* The <<servlet-authentication-securitycontextholder>> is cleared out. |
| 23 | +* `RememberMeServices.loginFail` is invoked. |
| 24 | +If remember me is not configured, this is a no-op. |
| 25 | +// FIXME: link to rememberme |
| 26 | +* `AuthenticationFailureHandler` is invoked. |
| 27 | +// FIXME: link to AuthenticationFailureHandler |
| 28 | +
|
| 29 | +image:{icondir}/number_4.png[] If authentication is successful, then __Success__. |
| 30 | + |
| 31 | +* `SessionAuthenticationStrategy` is notified of a new log in. |
| 32 | +// FIXME: Add link to SessionAuthenticationStrategy |
| 33 | +* The <<servlet-authentication-authentication>> is set on the <<servlet-authentication-securitycontextholder>>. |
| 34 | +Later the `SecurityContextPersistenceFilter` saves the `SecurityContext` to the `HttpSession`. |
| 35 | +// FIXME: link securitycontextpersistencefilter |
| 36 | +* `RememberMeServices.loginSuccess` is invoked. |
| 37 | +If remember me is not configured, this is a no-op. |
| 38 | +// FIXME: link to rememberme |
| 39 | +* `ApplicationEventPublisher` publishes an `InteractiveAuthenticationSuccessEvent`. |
| 40 | +
|
0 commit comments