1. Security context XML configuration file
The above configuration uses the Spring Security XML namespace elements that specifies many default security options.
The Spring Security architecture relies heavily on the use of delegates and servlet filters to provide layers of functionality around the context of a web application request. These are instantiated through declaring the DelegatingFilterProxy within the web.xml file.
The name springSecurityFilterChain is intentional as the DelegatingFilterProxy will look for a bean in the Spring WebApplicationContext of the same name.
The automatic configuration of the http element in the security configuration file automatically configures 10 servlet filters, which are applied in sequence through the use of a javax.servlet.FilterChain.
Many of the above filters can be explicitly included or excluded from the configuration. It is also possible to construct the filter chain from scratch to provide maximum flexibility.
The auto-config attribute of the http element is used to configure three authentication related functions in Spring Security 3:
- HTTP basic authentication
- HTTP form authentication
AuthenticationWhen a user submits a login request, it is intercepted by the UsernamePasswordAuthenticationFilter. This filter can be configured by the <form-login> sub-element of the http element but using auto-config will automatically add it.
The UsernamePasswordAuthenticationFilter extracts the username and password from the request and constructs an UsernamePasswordAuthenticationToken implementation of Authentication. It then delegates to an AuthenticationManager to perform the authentication.
The default implementation of AuthenticationManager supports configuration of one or more AuthenticationProvider implementations. The </authentication-provider> declaration will instantiate the default DaoAuthenticationProvider implementation and wire it to the AuthenticationManager.
The DaoAuthenticationProvider delegates to an implementation of UserDetailsService such as the default InMemoryDaoImpl or InMemoryUserDetailsManager configured by the <user-service> and <user> elements. The UserDetailsService is responsible for returning a UserDetails instance.
AuthorizationThe final filter in the default security filter chain, FilterSecurityInterceptor, is responsible for deciding whether to grant or deny access to a protected resource. By the time the request reaches this filter, the principle (i.e user) has already been authenticated and possesses a list of GrantedAuthority (or roles).
The diagram below shows the authorization request flow for the default configuration.
AccessDecisionManager such as the default AffirmativeBased to decide() whether to grant or deny access. The AffirmativeBased implementation provides an authorization decision based on AccessDecisionVoter implementations.
Spring Security provides three implementations of AccessDecisionManager which cover majority of scenarios and it is always possible to write your own.
- AffirmativeBased - If any voter grants access, access is immediately granted regardless of previous denials.
- ConsensusBased - The majority vote governs the decision.
- UnanimousBased - All voters must grant access, otherwise access is denied.