Implementing Custom Authentication in Spring Security by Overriding AuthenticationProvider

In enterprise applications, you may encounter situations where the default username and password authentication method doesn't fit your needs. Sometimes, you might require various authentication methods, such as using a code from an SMS or a specific application, or even utilizing a user's fingerprint for authentication. To handle these scenarios, Spring Security allows you to implement custom authentication logic using the Authentication interface and an AuthenticationProvider.

public interface Authentication extends Principal, Serializable {
   Collection<? extends GrantedAuthority> getAuthorities();
   Object getCredentials();
   Object getDetails();
   Object getPrincipal();
   boolean isAuthenticated();
   void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException;
}

public interface AuthenticationProvider {
   Authentication authenticate(Authentication authentication)
           throws AuthenticationException;
   boolean supports(Class<?> authentication);
}

The Authentication interface represents the authentication request event and contains details about the entity requesting access to the application, known as the principal. Key methods in this interface include:

1. isAuthenticated(): Indicates if the authentication process is complete. 

2. getCredentials(): Provides the password or secret used in authentication. 

3. getAuthorities(): Returns the granted authorities for the authenticated request. 

4. getDetails(): Provides additional details about the request, if needed. 

The AuthenticationProvider interface defines how authentication is performed. It typically delegates user retrieval to a UserDetailsService and handles password management with a PasswordEncoder. You implement the authenticate() method to validate the authentication request, returning an authenticated object. The supports() method indicates if the AuthenticationProvider supports a particular authentication object.

To summarize, implementing authenticate() involves:

1. Throwing AuthenticationException if authentication fails. 

2. Returning null if the authentication object isn't supported. 

3. Returning a fully authenticated Authentication instance. 

The supports() method helps Spring Security to determine which AuthenticationProvider to use based on the authentication object. This flexible approach allows for rejecting authentication requests based on various criteria.

Imagine a secure vault with multiple locks, each requiring a different type of key to open. Each key represents a different authentication method: one for fingerprints, another for access cards, and a third for numerical codes. The vault manager (authentication manager) determines which lock (authentication provider) to engage based on the type of key presented. If someone tries to use a fingerprint key at the access card lock, it won't work. However, if the access card lock is selected, it will validate the access card accordingly. This setup ensures robust security while accommodating diverse access methods.

Besides testing the authentication type, Spring Security adds one more layer for flexibility. The access card lock can recognize multiple kinds of cards. In this case, when you present a card, one of the authentication providers could say, “I understand this as being a card. But it isn’t the type of card I can validate!” This happens when supports() returns true but authenticate() returns null.

Example

In the below example we implement username and password authentication method which is same as default authentication approach.

Project Structure

Output