Packages
|
spring-security-core |
this provides the Core Spring Security support for Access Control, Method-level Security and it can be used with non-web applications as well |
|---|---|
|
spring-security-web |
web support for spring security |
|
spring-security-config |
to use the rich Spring Security XML namespace and annotations |
|
spring-boot-starter-security |
a Spring Boot Starter that brings together security-related jars:
|
Architecture
Click here to expand...
- https://www.javainuse.com/webseries/spring-security-jwt/chap3
- https://spring.io/guides/topicals/spring-security-architecture
1 Filters
It is here where authentication and authorization takes place
Based on the type of requests there are different Authentication Filters like:
- BasicAuthenticationFilter
- UsernamePasswordAuthenticationFilter
- etc
Any incoming request is intercepted by a chain of filters before it reaches the Dispatcher Servlet
2 Authentication Object Creation
If the extracted credentials are username and password, then UsernamePasswordAuthenticationToken is created
When the request is intercepted by the appropriate AuthenticationFilter it retrieves the credentials from the request and creates the Authentication Object.
3 AuthenticationManager
The Authentication Manager is only an interface and actual implementation of the authenticate method is provided by the ProviderManager
Field
Authentication (User Request before Authentication)
Authentication (After Authentication)
principal
username
User Object
granted authorities
empty
ROLE_ADMIN, etc
authenticated
false
true
The authenticate() method of AuthenticationManager is then invoked, taking in the Authentication object created by the filter as a parameter. After successful authentication, it returns an object of type Authentication
4 ProviderManager
From it’s authenticate method it calls the authenticate method of the appropriate AuthenticateProvider. In response it gets the Principal Authentication Object if the authentication is successful
the ProviderManager has a list of AuthenticationProviders
5 AuthenticationProvider
It has various implementations like:
- CasAuthenticationProvider
- DaoAuthenticationProvider
- etc
Depending on the implementation an appropriate AuthenicationProvider implementation is used.
It is in the AuthenticationProvider Implementation authenticate method where all the actual authentication takes place
The AuthenicationProvider is an interface with a single authenticate method
6 UserDetailsService
It has various implementations:
- CachingUserDetailsService
- JDBCDaoImpl
- etc
Based on the implementation an appropriate UserDetailsService is called
It is responsible for fetching the User Object with username and password against which the incoming User Object will be compared
With AuthenticationProvider
The AuthenticationProvider uses the UserDetailsService to fetch the User Object corresponding to the username.
It fetches this User Object from either a:
- database
- internal memory
- other sources
This User object credentials are then compared with the incoming Authentication Object credentials. If Authentication is successful then the Principal Authentication Object is returned in response
The UserDetailsService is an interface having a single method named loadUserByUsername()
/java-platform/java/java---projects--and--code-examples/java---non-native-libraries/java---spring-family/java---spring-security/spring-security-architecture.jpg)
/java-platform/java/java---projects--and--code-examples/java---non-native-libraries/java---spring-family/java---spring-security/spring-security-filters.jpeg)
/java-platform/java/java---projects--and--code-examples/java---non-native-libraries/java---spring-family/java---spring-security/authentication-object-creation.jpeg)
/java-platform/java/java---projects--and--code-examples/java---non-native-libraries/java---spring-family/java---spring-security/authentication-manager.jpeg)
/java-platform/java/java---projects--and--code-examples/java---non-native-libraries/java---spring-family/java---spring-security/provider-manager.jpeg)
/java-platform/java/java---projects--and--code-examples/java---non-native-libraries/java---spring-family/java---spring-security/authentication-provider.jpeg)
/java-platform/java/java---projects--and--code-examples/java---non-native-libraries/java---spring-family/java---spring-security/dao-authentication-provider.jpeg)
/java-platform/java/java---projects--and--code-examples/java---non-native-libraries/java---spring-family/java---spring-security/user-details-service.jpeg)
/java-platform/java/java---projects--and--code-examples/java---non-native-libraries/java---spring-family/java---spring-security/user-details-service-implementations.jpeg)
/java-platform/java/java---projects--and--code-examples/java---non-native-libraries/java---spring-family/java---spring-security/principal-authentication-object.jpeg)
Code Examples
Subpages
- Java - Spring - Security (@EnableWebSecurity)
- Java - Spring - Security (Authentication with a Database-backed UserDetailsService)
- Java - Spring - Security (Custom FilterChain, AuthenticationManager, & AuthenticationProvider)
- Java - Spring - Security (HttpSecurity - Cross Site Request Forgery CSRF)
- Java - Spring - Security (JDBC Authentication)
- Java - Spring - Security (Logout)
- Java - Spring - Security (Method Security)
- Java - Spring - Security (OAuth 2.0 & OpenID Connect)
- Java - Spring - Security (Remember Me)
- Java - Spring - Security (Retrieve User Information)
- Java - Spring - Security (Role vs GrantedAuthority)
- Java - Spring - Security (Session)
- Java - Spring - Security (Testing Method Security With Custom UserDetailsService)
- Java - Spring - Security (WebSecurity vs HttpSecurity)
- Java - Spring - Spring Security Expressions