Spring-security

Spring Security Internal Flow

August 29, 2024 / 0 Comments

Spring Security is a powerful framework that provides authentication, authorization, and other security features for Java applications, particularly web applications. Understanding the internal flow of Spring Security configuration and its behavior.

Overview of the Internal Flow

The internal flow of Spring Security involves several components that work together to manage security concerns such as authentication and authorization .

Redmi 13 5G, Orchid Pink, 6GB+128GB
Amazon

Redmi 13 5G, Orchid Pink, 6GB+128GB | India Debut SD 4 Gen 2 AE | 108MP Pro Grade Camera | 6.79in Largest Display in Segment

No Cost EMI: Avail No Cost EMI on select cards for orders above

Amazon
Buy Now
We earn a commission if you make a purchase, at no additional cost to you.

Spring Security Filters

A series of Spring filters intercept each request & work together to identify if Authentication is required or not . if authentication is required, accordingly navigate the user to login page or use the existing details stored during initial authentication .

Common Security Filters in the Chain:

  • SecurityContextPersistenceFilter: Restores the SecurityContext (the authentication state of the user) for the current session.
  • UsernamePasswordAuthenticationFilter: Handles form-based login requests.
  • BasicAuthenticationFilter: Handles HTTP Basic authentication.
  • BearerTokenAuthenticationFilter: Handles Bearer token authentication.
  • ExceptionTranslationFilter: Handles exceptions thrown by other filters, such as access denied or authentication failure.
  • FilterSecurityInterceptor: Performs authorization checks based on URL patterns, method security, or any other security configuration.

              LogoutFilter: Handles logouts.

              DefaultLoginPageGeneratingFilter: Generates a default login page if a

            custom login page is not provided.

Authentication

Filters like UsernamePasswordAuthenticationFilter will extract username/password from Http request & prepare Authentication type object .Because Authentication is the core standard of storing authenticated user details inside Spring security framework .

AuthenticationManager

Once received request from filter ,it delegate the validating of the user details to the authentication provider available . Since there can be multiple provider inside an app, it is the responsibility of the AuthenticationManager to manage all the authentication providers available. In simple words authentication manager takes the responsibility for authentication .

AuthenticationProvider

Authenticationproviders has all the core logic of validating user details for authentication .

UserDeatilsServices

userDetailsService helps in retriving ,creating, updating and deleteing user details from the data base storage systems .

PasswordEncoder

Service interface that helps in encoding & hashing passwords . otherwise we may have to live with plain text password

SecurityContext

Once the request has been authenticated , the Authontication will usually be stored in a thread local Securitycontext managed by the Security,ContextHolder. this helps during the upcomingv requests from the user . https://myntr.it/gq6jH61

No related posts.

Leave a Reply

Your email address will not be published. Required fields are marked *

RkdigitalSchool