I am working to setup an Authorization server and using spring authorization server framework for this task. Basic setup is working and it is accepting user and password together and authenticating user.
Now my requirement is instead of taking user and password together use a custom state machine like in below diagram. when an user initiate authentication it will ask for username only then it will decide next state based on username and so on. Once user reach to End state authentication will complete (Exception handling will also be part of this transition).
I just wanted to know where and how to plug my state machine in spring security filters/configuration.
Example code which i want to attach in some filter to take control of authentication
public boolean authenticate(HttpServletRequest request, HttpServletResponse response) {
Cookie sessionCookie = Arrays.stream(request.getCookies()).filter(cookie -> cookie.getName().equals("session")).findFirst().orElse(null);
CustomSession customSession = null;
if(sessionCookie != null) {
customSession = getSessionFromDB(sessionCookie.getValue());
}
if(customSession == null) {
customSession = new CustomSession();
customSession.sessionId = "uuid";
customSession.currentState = new InitState();
response.addCookie(new Cookie("session", "uuid"));
}
State currentState = customSession.currentState();
State nextState = currentState.next(request, response);
customSession.setCurrentState(nextState);
saveSessionToDB(customSession);
if(nextState instanceof EndState) {
//Authenticate user here
return true;
} else {
response.getWriter().print(nextState);
}
return false;
}