In this post you will know about spring security and how it works.Spring Security is a web authentication and authorization framework for Java Servlet web applications or REST services, part of Spring Framework. It installs a chain of servlet filters in front of the application’s filters and servlets, at startup. Each filter has a specific purpose. The concerns are very elaborate. A simpler model could be available at Apache Shiro, another popular authentication and authorization framework.
A typical HTTP request flow, is to get to the server, and the “persistence” filter checks if it already has a security context for it - but where would it keep it? Typically in the HTTP session, but there is also a Redis option in ifnu/spring-security-redis which may be already included in the main framework.
Creating another “persistence” filter implementation, that instead of going to HTTP session (possibly backed by Redis) is tricky business, and we dropped the HBase attempt, because, besides technical impediments, there were many SEC bugs (security fixed issues) scattered in that code, so clearly it was a security risk.
To clarify, the persistence of the security context is one filter, SecurityContextPersistenceFilter, and there is another filter about the Spring Session, which by default uses the servlet Session: HttpSessionSecurityContextRepository. Spring Session - HttpSession (Quick Start) has other implementations for spring session, other than using the HttpSession, namely using Redis. While the default implementation of the persistence filter uses the Spring Session. It seems wise in retrospect, that we would have tried to override not the persistence filter but the session one. Other filters include SessionManagementFilter, RequestCacheFilter.
Once the security context is retrieved, it can be in states such as not authenticated, authenticated. The authentication framework attempts one or multiple authentication providers. Authorization happens at endpoint (web) level, as well at the method level (via AOP).
To Enable the Spring Security in your application you need to specify the delegating filter which delegates the specific filter to a specific requirement, Like
<span style="font-size:16px;"><span style="font-family:arial,helvetica,sans-serif;"><filter>
<filter-name>securityFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>org.springframework.security.web.FilterChainProxy</param-value>
</init-param>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>filterChainProxy</param-value>
</init-param>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>securityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</span></span>
Here we used "DelegatingFilterProxy", it will now delegate all the request to the spring security filters that are specified in the "filterChainProxy" (bean defined in spring-security.xml). The "filterChainProxy" bean consists of several security filters that are orderly defined in the spring Application context.
<span style="font-size:16px;"><span style="font-family:arial,helvetica,sans-serif;"><bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<sec:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/images/*" filters="none"/>
<sec:filter-chain pattern="/**" filters="SecurityContextPersistenceFilter, LogoutFilter, UsernamePasswordAuthenticationFilter, DefaultLoginPageGeneratingFilter, SecurityContextHolderAwareRequestFilter, AnonymousAuthenticationFilter, SessionManagementFilter, ExceptionTranslationFilter, FilterSecurityInterceptor, customFilter1, customeFilter2" />
</sec:filter-chain-map>
</bean>
</span></span>
No comments:
Post a Comment