We have one controller method where we have used @RequiredHardLogin which is redirecting unauthenticated user to login page. But where exactly this logic is written? We don't have any such thing in Handler class. Is it in filter? If yes which filter?
RequireHardLoginEvaluator is the class which checks whether the customer is "hard-login" or not. This class is under package de.hybris.platform.yacceleratorstorefront.security.evaluator.impl
RequireHardLoginBeforeControllerHandler is the handler which checks whether the method has @RequireHardLogIn annotation or not. This class is under package de.hybris.platform.yacceleratorstorefront.interceptors.beforecontroller.
Bean definition of RequireHardLoginBeforeControllerHandler is defined in spring-mvc-config.xml which is located under yacceleratorstorefront/web/webroot/WEB-INF/config folder.
This bean definition put into the list beforeControllerHandlersList which is used with BeforeControllerHandlerInterceptor.
Finally, this interceptor defined under <mvc:interceptors> so that it works with controllers.
As a summary, it's using Spring's functionality which is provided with preHandle() method of HandlerInterceptorAdapter