Spring Security Architecture

-

 Spring Security is a well made and powerful authentication and authorization framework used for securing Spring-based applications. The underlying value is how quickly and easily it can be configured and extended to meet most business requirements. However, because it’s so configurable it can be daunting to set up and understand how to quickly get it running for your application. This 5 part series will take you through a real-world example from start to finish.

Other Articles

Overview

If you’re new to Spring and you haven’t set up a projet yet then take a look at Getting started with Spring Framework for Web Apps.

Spring Security does a lot of work with a very little configuration. It’s important to have a solid understanding how its architected with regard to web servlet based applications. Spring Security is based on the use of servlet filter chains. It injects itself into the servlet chain to determine if a request needs a user to be authentication, whether the user has authorization, etc.

Servlet filters intercept a request from a client and can inspect or change the request before it gets to the servlet engine. Here’s a high level architecture.

Client => filter0 => filter1 => filter2 => filterN => Servlet

Spring Security injects its own FilterChainProxy into the servlet’s filter chain which then executes a SecurityFilterChain. The security filter chain contains as many Security Filters as needed based on configuration.

Client => filter0 => DelegatingFilterProxy =|                   ---> filter2 => filterN => Servlet
        v-----------------------------------|                   |
        FilterChainProxy => SecurityFilterChain -|              |  
        v----------------------------------------|              |  
        securityFilter0 => securityFilter1 => securityFilterN --^

Spring Security has a specific order it executes its filters in. From a security perspective, the order of filters matters. It typically is not necessary to understand or know the ordering of Spring Security filter instances. However, there are times that it is beneficial to know the ordering.

  • ForceEagerSessionCreationFilter
  • ChannelProcessingFilter
  • WebAsyncManagerIntegrationFilter
  • SecurityContextPersistenceFilter
  • HeaderWriterFilter
  • CorsFilter
  • CsrfFilter
  • LogoutFilter
  • OAuth2AuthorizationRequestRedirectFilter
  • Saml2WebSsoAuthenticationRequestFilter
  • X509AuthenticationFilter
  • AbstractPreAuthenticatedProcessingFilter
  • CasAuthenticationFilter
  • OAuth2LoginAuthenticationFilter
  • Saml2WebSsoAuthenticationFilter
  • UsernamePasswordAuthenticationFilter
  • DefaultLoginPageGeneratingFilter
  • DefaultLogoutPageGeneratingFilter
  • ConcurrentSessionFilter
  • DigestAuthenticationFilter
  • BearerTokenAuthenticationFilter
  • BasicAuthenticationFilter
  • RequestCacheAwareFilter
  • SecurityContextHolderAwareRequestFilter
  • JaasApiIntegrationFilter
  • RememberMeAuthenticationFilter
  • AnonymousAuthenticationFilter
  • OAuth2AuthorizationCodeGrantFilter
  • SessionManagementFilter
  • ExceptionTranslationFilter
  • FilterSecurityInterceptor
  • SwitchUserFilter

In part 1, we’ll be taking advantage of the SecurityFilterChain where we’ll configure and see the filters in action.

That’s an overview of Spring Security filter architecture. For a more comprehensive review refer to the Spring Security documentation.

Comments

Post a Comment

Popular posts from this blog

Max Upload File Size in Spring Framework

-
  Spring framework comes preconfigured with default upload file size and max request size. You can modify the sizes with application settings. Settings max-file-size  specifies the maximum size permitted for uploaded files. The default is 1MB max-request-size  specifies the maximum size allowed for multipart/form-data requests. The default is 10MB. Error exceeding max file size Java with Spring 6 will throw a  MaxUploadSizeExceededException  exception when the max size is exceeded. threw exception [ Request processing failed: org . springframework . web . multipart . MaxUploadSizeExceededException : Maximum upload size exceeded ] with root cause org . apache . tomcat . util . http . fileupload . impl . FileSizeLimitExceededException : The field image exceeds its maximum permitted size of 1048576 bytes . at org . apache . tomcat . util . http . fileupload . impl . FileItemStreamImpl $ 1 . raiseError ( FileItemStreamImpl . java : 117 )...
Read more

Use Java Enums with JPA

-
Java Persistence API (JPA) is a widely used standard for object-relational mapping (ORM) in Java applications. One of the common challenges when working with JPA is mapping database columns to Java enums. This can be especially challenging if the database column is not a string, such as when using an integer or a byte as the database column type. In this article, we will explore how to use Java enums with JPA. Mapping Java enums to database columns Before we dive into the details of how to use Java enums with JPA, let's first discuss how JPA maps Java enums to database columns. JPA provides two basic ways to map Java enums to database columns: Ordinal-based mapping : This maps the enum's ordinal value (the position of each enum value in the enum declaration) to the database column. For example, if we have an enum named Status with values ACTIVE, INACTIVE, and SUSPENDED, ACTIVE will have an ordinal value of 0, INACTIVE will have an ordinal value of 1, and so on. Name-based mappi...
Read more

Spring Security part 3 - OidcUser

-
  In the last article, I showed you how to return your own   UserDetails   object via a bean interface for username/password authentication. But what if you want to use OAuth authentication too? Spring Security works differently with OAuth but with a little engineering we can bring it all together into a cohesive solution. Other Articles Architecture -  Spring Security Architecture Part 1 -  Security configuration Part 2 -  How to handle UserDetails gracefully Part 3 -  UserDetails for OAuth authentication Part 4 -  Handling GrantedAuthorities with custom roles/permissions Part 5 -  Security tags for Freemarker If you’re new to Spring, you should take a look at  Getting started with Spring Framework for Web Apps OidcUser You’ve already learned about  UserDetails  but do you know about its cousin [OidcUser](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/oauth2/core/oidc/user/OidcUser.ht...
Read more