Package com.broadleafcommerce.auth.user.session

Class FormLoginAuthenticationProvider

  • All Implemented Interfaces:
    org.springframework.beans.factory.Aware, org.springframework.beans.factory.InitializingBean, org.springframework.context.MessageSourceAware, org.springframework.security.authentication.AuthenticationProvider
    Direct Known Subclasses:
    EmbeddedLoginAuthenticationProvider
    public class FormLoginAuthenticationProvider
extends org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider
    An AuthenticationProvider that retrieves OAuth2UserDetails from a OAuth2UserDetailsService for use with Universal Login.

    This is useful when users are partitioned for a certain OAuth2 client, which is common when using a single authorization server within a multi-tenant scenario. In this situation, `username` alone is not enough of a unique identifier, and a client ID is needed to accurately discriminate an OAuth2UserDetails.

    Author:
    Nick Crum (ncrum)
    See Also:
    as the inspiration for this provider, for the equivalent when using embedded login.

    • Field Summary

      • Fields inherited from class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

        hideUserNotFoundExceptions, logger, messages

    • Constructor Summary

      Constructors 
      Constructor Description
      FormLoginAuthenticationProvider​(OAuth2UserDetailsService userDetailsService, org.springframework.security.core.userdetails.UserDetailsPasswordService userDetailsPasswordService, org.springframework.security.crypto.password.PasswordEncoder passwordEncoder)  

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void additionalAuthenticationChecks​(org.springframework.security.core.userdetails.UserDetails userDetails, org.springframework.security.authentication.UsernamePasswordAuthenticationToken authentication)  
      protected org.springframework.security.core.Authentication createSuccessAuthentication​(Object principal, org.springframework.security.core.Authentication authentication, org.springframework.security.core.userdetails.UserDetails user)  
      protected org.springframework.security.crypto.password.PasswordEncoder getPasswordEncoder()  
      protected org.springframework.security.core.userdetails.UserDetailsPasswordService getUserDetailsPasswordService()  
      protected OAuth2UserDetailsService getUserDetailsService()  
      protected String getUserNotFoundEncodedPassword()
      The password used to perform PasswordEncoder.matches(CharSequence, String) on when the user is not found to avoid SEC-2056.
      protected org.springframework.security.core.userdetails.UserDetails retrieveUser​(String username, org.springframework.security.authentication.UsernamePasswordAuthenticationToken authentication)  
      boolean supports​(Class<?> authentication)  

      • Methods inherited from class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

        afterPropertiesSet, authenticate, doAfterPropertiesSet, getPostAuthenticationChecks, getPreAuthenticationChecks, getUserCache, isForcePrincipalAsString, isHideUserNotFoundExceptions, setAuthoritiesMapper, setForcePrincipalAsString, setHideUserNotFoundExceptions, setMessageSource, setPostAuthenticationChecks, setPreAuthenticationChecks, setUserCache

    • Constructor Detail

      • FormLoginAuthenticationProvider

        public FormLoginAuthenticationProvider​(OAuth2UserDetailsService userDetailsService,
                                       org.springframework.security.core.userdetails.UserDetailsPasswordService userDetailsPasswordService,
                                       org.springframework.security.crypto.password.PasswordEncoder passwordEncoder)

    • Method Detail

      • supports

        public boolean supports​(Class<?> authentication)
        Specified by:
        supports in interface org.springframework.security.authentication.AuthenticationProvider
        Overrides:
        supports in class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

      • retrieveUser

        protected final org.springframework.security.core.userdetails.UserDetails retrieveUser​(String username,
                                                                                       org.springframework.security.authentication.UsernamePasswordAuthenticationToken authentication)
        Specified by:
        retrieveUser in class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

      • createSuccessAuthentication

        protected org.springframework.security.core.Authentication createSuccessAuthentication​(Object principal,
                                                                                       org.springframework.security.core.Authentication authentication,
                                                                                       org.springframework.security.core.userdetails.UserDetails user)
        Overrides:
        createSuccessAuthentication in class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

      • additionalAuthenticationChecks

        protected void additionalAuthenticationChecks​(org.springframework.security.core.userdetails.UserDetails userDetails,
                                              org.springframework.security.authentication.UsernamePasswordAuthenticationToken authentication)
        Specified by:
        additionalAuthenticationChecks in class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

      • getUserDetailsPasswordService

        protected org.springframework.security.core.userdetails.UserDetailsPasswordService getUserDetailsPasswordService()

      • getPasswordEncoder

        protected org.springframework.security.crypto.password.PasswordEncoder getPasswordEncoder()

      • getUserNotFoundEncodedPassword

        protected String getUserNotFoundEncodedPassword()
        The password used to perform PasswordEncoder.matches(CharSequence, String) on when the user is not found to avoid SEC-2056. This is necessary, because some PasswordEncoder implementations will short circuit if the password is not in a valid format.