Announcement: You can find the guides for Commerce 7.5 and later on the new Elastic Path Documentation site. The Developer Center continues to support Commerce 6.13.0 through 7.4.1.Visit new site

Authorization process

Authorization process

This section describes the authorization process for a signed in user who is attempting to access another page.

When a signed-in user attempts to access a page, Spring Security URL filters intercept the request and check if the user has permission to access the page. Page permissions are defined in security.xml as part of the <intercept-url> element. See Spring Security Filters for information on the URL filters. Spring Security's AuthenticationManager is wired to the customerAuthenticationDao bean in security.xml. The customerAuthenticationDao bean references an instance of CustomerAuthenticationDaoImpl, which is a class that implements the Spring Security UserDetailsService interface. UserDetailsService's loadUserByUsername method is invoked by Spring Security to retrieve customer information about the user signing in. If the user cannot be found, or the user's credentials do not match the access role defined in the <intercept-url>, the user is denied access to the URL and transfered to the sign-in.ep URL.