Announcement: You can find the guides for Commerce 7.5 and later on the new Elastic Path Documentation site. The Developer Center continues to support Commerce 6.13.0 through 7.4.1.Visit new site

Spring Security Authentication Manager

Spring Security Authentication Manager

Spring Security's authentication service is defined in security.xml, which is located in <Web App Source>/WEB-INF/conf/spring/security. The <authentication-manager> element of security.xml defines the bean Spring Security uses for authentication. In Elastic Path Commerce, authentication is handled by the customerAuthenticationDao bean. The XML examples below show how the <authentication-manager> element is wired to the <customerAuthenticationDao> bean.

Authentication Manager Bean

         storefront/ep-storefront/src/main/resources/spring/security/security.xml
	<authentication-manager>
		<authentication-provider user-service-ref="customerAuthenticationDao">
			<password-encoder ref="passwordEncoder">
				<salt-source ref="customerSaltSource" />
			</password-encoder>
		</authentication-provider>

		<!-- To enable transparent upgrading of customer password encryption after authentication in Storefront,
		remove the customerAuthenticationDao authentication-provider and uncomment the upgradingCustomerDaoAuthenticationProvider
		authentication-provider. -->

		<!-- The customerAuthenticationDao provider allows fallback to saltless SHA-1 encoding -->
		<authentication-provider user-service-ref="customerAuthenticationDao">
			<password-encoder ref="sha1PasswordEncoder"/>
		</authentication-provider>

		<!-- The upgradingCustomerDaoAuthenticationProvider provider allows a transparent upgrade after fallback to saltless SHA-1 encoding -->
		<!--  authentication-provider ref="upgradingCustomerDaoAuthenticationProvider" / -->

		<authentication-provider ref="guestAuthenticationProvider" />
	</authentication-manager>

  <beans:bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <beans:property name="defaultTargetUrl" value="/manage-account.ep"/>
  </beans:bean>

  <beans:bean id="customerAuthenticationDao" parent="txProxyTemplate">
    <beans:property name="target">
      <beans:bean class="com.elasticpath.persistence.impl.CustomerAuthenticationDaoImpl">
        <beans:property name="persistenceEngine" ref="persistenceEngine" />
        <beans:property name="customerService" ref="customerService" />
        <beans:property name="storeConfig" ref="threadLocalStorage" />
      </beans:bean>
     </beans:property>
  </beans:bean>

  <!--  The following provider allows a transparent upgrade after fallback to saltless SHA-1 encoding -->
    <beans:bean id="upgradingCustomerDaoAuthenticationProvider"
    	class="com.elasticpath.service.security.impl.UpgradingCustomerDaoAuthenticationProvider">
    	
   		<beans:property name="customerService" ref="customerService" />
   		<beans:property name="userDetailsService" ref="customerAuthenticationDao" />
   		<beans:property name="saltSource" ref="customerSaltSource" />
   		<beans:property name="passwordEncoder" ref="sha1PasswordEncoder" />
    </beans:bean>