To start with,
Don't worry about the j_.. in spring, they all are very well set at there respective places.
There are filters which do all the stuff of handling these in proper ways best know.
All you need to do is configure the web.xml and add the spring security filters and thus use spring security, then add spring-security.xml file.
All the urls for which you want to use secure http layer(https) add as below:
<security:intercept-url pattern="/checkout/j_spring_security_check" requires-channel="https" />
<security:intercept-url pattern="/login" requires-channel="https" />
<security:intercept-url pattern="/login/**" requires-channel="https" />
<security:intercept-url pattern="/j_spring_security_check" requires-channel="https" />
<security:intercept-url pattern="/logout" requires-channel="https" />
carefully add on the urls for which you want https, rest will be ignored.
AuthenticationManager - handles authentication requests from other parts of the framework.
There is AuthenticationProvider, which manages how and where you want the user to be validated.
i.e you want it to be file based or database or LDAP etc.
In Hybris, the authenticationProvider is AcceleratorAuthenticationProvider.
Once the authentication provider approves the user, the loginGuidAuthenticationSuccessHandler handles the setting of GUID in a cookie.
<security:form-login
login-page="/login"
authentication-failure-handler-ref="loginAuthenticationFailureHandler"
authentication-success-handler-ref="loginGuidAuthenticationSuccessHandler" />
Session management:
<security:session-management session-fixation-protection="none" />
Here you can specify how to handle session, above its "none" as they use GUID.
Conditions like multiple logins for a user is allowed or not, and how to handle them.
AccessDeniedException exception arising out of spring security are handled via ExceptionTranslationFilter.
https://docs.spring.io/spring-security/site/docs/3.0.x/reference/core-web-filters.html
...........to be continued.
Don't worry about the j_.. in spring, they all are very well set at there respective places.
There are filters which do all the stuff of handling these in proper ways best know.
All you need to do is configure the web.xml and add the spring security filters and thus use spring security, then add spring-security.xml file.
All the urls for which you want to use secure http layer(https) add as below:
<security:intercept-url pattern="/checkout/j_spring_security_check" requires-channel="https" />
<security:intercept-url pattern="/login" requires-channel="https" />
<security:intercept-url pattern="/login/**" requires-channel="https" />
<security:intercept-url pattern="/j_spring_security_check" requires-channel="https" />
<security:intercept-url pattern="/logout" requires-channel="https" />
carefully add on the urls for which you want https, rest will be ignored.
AuthenticationManager - handles authentication requests from other parts of the framework.
There is AuthenticationProvider, which manages how and where you want the user to be validated.
i.e you want it to be file based or database or LDAP etc.
In Hybris, the authenticationProvider is AcceleratorAuthenticationProvider.
Once the authentication provider approves the user, the loginGuidAuthenticationSuccessHandler handles the setting of GUID in a cookie.
<security:form-login
login-page="/login"
authentication-failure-handler-ref="loginAuthenticationFailureHandler"
authentication-success-handler-ref="loginGuidAuthenticationSuccessHandler" />
Session management:
<security:session-management session-fixation-protection="none" />
Here you can specify how to handle session, above its "none" as they use GUID.
Conditions like multiple logins for a user is allowed or not, and how to handle them.
AccessDeniedException exception arising out of spring security are handled via ExceptionTranslationFilter.
https://docs.spring.io/spring-security/site/docs/3.0.x/reference/core-web-filters.html
...........to be continued.
