Package com.broadleafcommerce.auth.user.session

Class FormLoginAuthenticationProvider

java.lang.Object

org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

com.broadleafcommerce.auth.user.session.FormLoginAuthenticationProvider

All Implemented Interfaces:

org.springframework.beans.factory.Aware, org.springframework.beans.factory.InitializingBean, org.springframework.context.MessageSourceAware, org.springframework.security.authentication.AuthenticationProvider

Direct Known Subclasses:

EmbeddedLoginAuthenticationProvider

public class FormLoginAuthenticationProvider
extends org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

An AuthenticationProvider that retrieves OAuth2UserDetails from a OAuth2UserDetailsService for use with Universal Login.

This is useful when users are partitioned for a certain OAuth2 client, which is common when using a single authorization server within a multi-tenant scenario. In this situation, `username` alone is not enough of a unique identifier, and a client ID is needed to accurately discriminate an OAuth2UserDetails.

Author:

Nick Crum (ncrum)

See Also:

• as the inspiration for this provider
• for the equivalent when using embedded login.

Field Summary

Fields inherited from class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

hideUserNotFoundExceptions, logger, messages

Constructor Summary

Constructors

Constructor	Description
FormLoginAuthenticationProvider(OAuth2UserDetailsService userDetailsService, org.springframework.security.core.userdetails.UserDetailsPasswordService userDetailsPasswordService, org.springframework.security.crypto.password.PasswordEncoder passwordEncoder)

Method Summary

Modifier and Type	Method	Description
protected void	additionalAuthenticationChecks(org.springframework.security.core.userdetails.UserDetails userDetails, org.springframework.security.authentication.UsernamePasswordAuthenticationToken authentication)
protected org.springframework.security.core.Authentication	createSuccessAuthentication(Object principal, org.springframework.security.core.Authentication authentication, org.springframework.security.core.userdetails.UserDetails user)
protected org.springframework.security.crypto.password.PasswordEncoder	getPasswordEncoder()
protected org.springframework.security.core.userdetails.UserDetailsPasswordService	getUserDetailsPasswordService()
protected OAuth2UserDetailsService	getUserDetailsService()
protected String	getUserNotFoundEncodedPassword()	The password used to perform PasswordEncoder.matches(CharSequence, String) on when the user is not found to avoid SEC-2056.
protected final org.springframework.security.core.userdetails.UserDetails	retrieveUser(String username, org.springframework.security.authentication.UsernamePasswordAuthenticationToken authentication)
boolean	supports(Class<?> authentication)

Methods inherited from class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

afterPropertiesSet, authenticate, doAfterPropertiesSet, getPostAuthenticationChecks, getPreAuthenticationChecks, getUserCache, isForcePrincipalAsString, isHideUserNotFoundExceptions, setAuthoritiesMapper, setForcePrincipalAsString, setHideUserNotFoundExceptions, setMessageSource, setPostAuthenticationChecks, setPreAuthenticationChecks, setUserCache

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

FormLoginAuthenticationProvider

public FormLoginAuthenticationProvider(OAuth2UserDetailsService userDetailsService,
 org.springframework.security.core.userdetails.UserDetailsPasswordService userDetailsPasswordService,
 org.springframework.security.crypto.password.PasswordEncoder passwordEncoder)

Method Details

supports

public boolean supports(Class<?> authentication)

Specified by:

supports in interface org.springframework.security.authentication.AuthenticationProvider

Overrides:

supports in class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

retrieveUser

protected final org.springframework.security.core.userdetails.UserDetails retrieveUser(String username,
 org.springframework.security.authentication.UsernamePasswordAuthenticationToken authentication)

Specified by:

retrieveUser in class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

createSuccessAuthentication

protected org.springframework.security.core.Authentication createSuccessAuthentication(Object principal,
 org.springframework.security.core.Authentication authentication,
 org.springframework.security.core.userdetails.UserDetails user)

Overrides:

createSuccessAuthentication in class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

additionalAuthenticationChecks

protected void additionalAuthenticationChecks(org.springframework.security.core.userdetails.UserDetails userDetails,
 org.springframework.security.authentication.UsernamePasswordAuthenticationToken authentication)

Specified by:

additionalAuthenticationChecks in class org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider

getUserDetailsService

protected OAuth2UserDetailsService getUserDetailsService()

getUserDetailsPasswordService

protected org.springframework.security.core.userdetails.UserDetailsPasswordService getUserDetailsPasswordService()

getPasswordEncoder

protected org.springframework.security.crypto.password.PasswordEncoder getPasswordEncoder()

getUserNotFoundEncodedPassword

protected String getUserNotFoundEncodedPassword()

The password used to perform PasswordEncoder.matches(CharSequence, String) on when the user is not found to avoid SEC-2056. This is necessary, because some PasswordEncoder implementations will short circuit if the password is not in a valid format.