Announcement: You can find the guides for Commerce 7.5 and later on the new Elastic Path Documentation site. This Developer Center contains the guides for Commerce 6.13.0 through 7.4.1.Visit new site

This version of Elastic Path Commerce is no longer supported or maintained. To upgrade to the latest version, contact your Elastic Path representative.

Authentication process

Authentication process

This section describes Spring Security's authentication process for a user logging into Elastic Path Commerce through the sign-in.ep web login.

When a user signs in, the Elastic Path sign-in HTML form sends the user's login information (a username and password) to the /j_acegi_security_check.ep URL (configured in security.xml). Spring Securities authentication manager is set to the customerAuthenticationDao bean for authentication. The customerAuthenticationDao bean references an instance of CustomerAuthenticationDaoImpl, which is an Elastic Path object wired into Spring Security in security.xml. CustomerAuthenticationDaoImpl implements the Spring Security interface, UserDetailsService, whose loadUserByUsername method is invoked by Spring Security to retrieve customer information about the user signing in. The CustomerAuthenticationDaoImpl then retrieves and returns the Customer object corresponding to the given username (the email address). The Customer object implements the Spring Security UserDetails interface, which Spring Security uses to query the password and account status for the user attempting to log in. If the password matches, Spring Security updates the user's authentication status. Spring Security uses a ThreadLocal SecurityContextHolder to store the SecurityContext between web requests. The SecurityContext contains a single getter/setter for the Authentication object that stores the user's authentication status.