javaspringhttpspring-securityform-authentication

How does form based authentication work in spring security?

Say post request was send to some /login url, with valid username and password parameters.

What should be in response? Must it contains jsessionid or/and other information?

How spring security identifies current user? Does it uses jsessionid filtering or it "looks" at other information (custome header, cookies etc.)? By "jsessionid filtering" I mean (may be it is wrong) that when user logins successfully spring security save jsessionid to successful authentificated session list and save other information (like roles) into session object. Does it works like that or not?

It would be nice if somebody provide step by step raw http requests/responses with authentication, for example what post request should contain and what corresponding response contains. Also, what request to secured resource need to contain (some header, cookie, jsession or else)?

Solution

  • I will try to help you:

    First: The response sets a cookie for that path,in my case my application is in localhost:port/CambioClaveDist, so when SpringSecurity authenticate my user, it creates a new JSESSIONID for that path: Set-Cookie:"JSESSIONID=96ABDF25EE278DD69DD1A0400702E416; Path=/CambioClaveDist"

    Second: Spring identifies an authenticated user with the JSESSIONID, yes.

    Third: I have an http request/post example:
    Authentication post:

    POST http://localhost:8080/CambioClaveDist/j_spring_security_check
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/CambioClaveDist/index.htm?logout=true
Connection: keep-alive

Content-Type: application/x-www-form-urlencoded
Content-Length: 92

_csrf=fbd07004-cc30-4ef6-9bfb-a00ae8f8819f&username=user&password=pass&sSubmit=Enviar

    Request to protected url: 

    GET http://localhost:8080/CambioClaveDist/main/index.htm

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/CambioClaveDist/index.htm?logout=true
Cookie: JSESSIONID=96ABDF25EE278DD69DD1A0400702E416
Connection: keep-alive