Typical Authentication Process

A typical web application's authentication process looks like this [1] :

  1. You visit the home page, and click on a link.
  2. A request goes to the server, and the server decides that you've asked for a protected resource.
  3. As you're not presently authenticated, the server sends back a response indicating that you must authenticate. The response will either be:
    1. an HTTP response code
    2. a redirect to a particular web page
  4. Depending on the authentication mechanism, your browser will either:
    1. redirect to the specific web page so that you can fill out the form
    2. somehow retrieve your identity (such as, a BASIC authentication dialog box, a cookie, or an X509 certificate).
  5. The browser will send back a response to the server. This will be either:
    1. an HTTP POST containing the contents of the form that you filled out
    2. an HTTP header containing your authentication details
  6. The server will decide whether or not the presented credentials are valid.
    1. If they're valid, the process will proceed to Step 7.
    2. If they're invalid, usually your browser will be asked to try again (so you return to Step 2 above).
  1. The original request that you made to cause the authentication process will be retried.
    1. If you've authenticated with sufficient granted authorities, you can access the protected resource. If you have sufficient access, the request will be successful
    2. Otherwise, you'll receive back an HTTP error code 403, which means "forbidden".

See Also

Authentication Use Case: Archibus Security

Authentication Use Case: LDAP

Authentication Use Case: Single Sign-On (SSO)

References

1. Spring Security framework documentation: http://static.springframework.org/spring-security/site/index.html