Skip to content

401-16.md

Latest commit

 

History

History
71 lines (46 loc) · 2.76 KB

401-16.md

File metadata and controls

71 lines (46 loc) · 2.76 KB
layout page
title 401.16 Reading Notes
permalink /401-R16/

Spring Authentication

(Cheat Sheet by Michelle Ferreirae)

Ahuthentication

  • Authentication (or "access control") is a process to verify the identity of a particular user.

    • In Spring, the primary imported code blocks used are AuthenticationManager:
public interface AuthenticationManager {

  Authentication authenticate(Authentication authentication)
    throws AuthenticationException;
}

and an implemented ProviderManager and a series of AuthenticationProvider instances:

public interface AuthenticationProvider {

	Authentication authenticate(Authentication authentication)
		throws AuthenticationException;

	boolean supports(Class<?> authentication);
}

ProviderManagers can have children which in turn have their own respective AuthenticationProviders.

  • The AuthenticationManagerBuilder class is used for quickly setting up authentication features, and uses the @Autowired annotation to build AuthenticationManagers.

Authorization

  • As opposed to authentication, Authorization is the degree of access or modification privilages a given user has. Similarly to the Authentication hierarchy, an AccessDecisionManager may handle multiple instances of AccessDecisionVoter

Servlet Filters

  • Client requests to the application go through multiple filters first (determined by container) before the appropriate servlet. Filters are @Beans that have systems of prioritizing their order (by the DEFAULT_ORDER property).

    • As the filters within Spring's auth system are not accessible to the container, added filters must be FilterRegistrationBeans or else not be made @Beans.

  • Spring Security functions as a single filter in this sequence (as FilterChainProxy) but has several layers of sub-filters in alternate alternate chains internally.

    • By default, there are 11 filters in the FilterChainProxy to cover common routes (like /error or /images/**) as well as a wildcard route (/**) for other cases.

Request Matching

  • Filter chains have request matchers that determine which set of filters will apply (at the exclusion of others). Within a chain, HttpSecurity further controls authorization.

Method Access

  • Spring Security can also further control resource access within a code base (@EnableGlobalMethodSecurity(securedEnables = true)) by annotating particular methods. The following example is from the Spring guide on authorization:
@Service
public class MyService {

  @Secured("ROLE_USER")
  public String secure() {
    return "Hello Security";
  }

}