1. Security context XML configuration file
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/ spring-security-3.0.xsd"> <http auto-config="true"> <intercept-url pattern="/*" access="ROLE_USER"/> </http> <authentication-manager alias="authenticationManager"> <authentication-provider> <user-service> <user authorities="ROLE_USER" name="guest" password="guest"/> </user-service> </authentication-provider> </authentication-manager> </beans:beans>
The above configuration uses the Spring Security XML namespace elements that specifies many default security options.
The Spring Security architecture relies heavily on the use of delegates and servlet filters to provide layers of functionality around the context of a web application request. These are instantiated through declaring the DelegatingFilterProxy within the web.xml file.
<filter> <filter-name>springSecurityFilterChain</filter-name> <filterclass> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
The automatic configuration of the http element in the security configuration file automatically configures 10 servlet filters, which are applied in sequence through the use of a javax.servlet.FilterChain.
| filter name | description |
|---|---|
| SecurityContextPersistenceFilter | Loads and stores the SecurityContext from the SecurityContextRepository. The SecurityContext represents the user's secured, authenticated session. |
| LogoutFilter | Checks a request for the virtual URL specified as the logout URL (by default, /j_spring_security_logout), and logs the user out if there is a match. |
| UsernamePasswordAuthenticationFilter | Checks a request for the virtual URL used for form-based authentication with username and password (by default, /j_spring_security_check), and attempts to authenticate the user if there is a match. |
| DefaultLoginPageGeneratingFilter | Checks a request for the virtual URL used for form-based or OpenID-based authentication (by default, /spring_security_login) and generates HTML used to render a functional login form. |
| BasicAuthenticationFilter | Checks a request for the HTTP basic authentication headers and processes them. |
| RequestCacheAwareFilter | Used after a successful login to reconstitute the user's original request that was intercepted by an authentication request. |
| SecurityContextHolderAwareRequestFilter | Wraps the HttpServletRequest with a subclass (SecurityContextHolderAwareRequestWrapper) that extends HttpServletRequestWrapper. This provides additional context to request processors further down the filter chain. |
| AnonymousAuthenticationFilter | If the user hasn't already been authenticated by the time this filter is called, an authentication token is associated with the request indicating that the user is anonymous. |
| SessionManagementFilter | Handles session tracking based on authenticated principals, helping to ensure that all sessions associated with a single principal are tracked. |
| ExceptionTranslationFilter | Handles default routing and delegation of expected exceptions that occur during processing of a secured request. |
| FilterSecurityInterceptor | It facilitates determination of authorization and access control decisions, delegating decisions on authorization to an AccessDecisionManager. |
Many of the above filters can be explicitly included or excluded from the configuration. It is also possible to construct the filter chain from scratch to provide maximum flexibility.
The auto-config attribute of the http element is used to configure three authentication related functions in Spring Security 3:
- HTTP basic authentication
- HTTP form authentication
- Logout
Authentication
When a user submits a login request, it is intercepted by the UsernamePasswordAuthenticationFilter. This filter can be configured by the <form-login> sub-element of the http element but using auto-config will automatically add it.The UsernamePasswordAuthenticationFilter extracts the username and password from the request and constructs an UsernamePasswordAuthenticationToken implementation of Authentication. It then delegates to an AuthenticationManager to perform the authentication.
The default implementation of AuthenticationManager supports configuration of one or more AuthenticationProvider implementations. The </authentication-provider> declaration will instantiate the default DaoAuthenticationProvider implementation and wire it to the AuthenticationManager.
The DaoAuthenticationProvider delegates to an implementation of UserDetailsService such as the default InMemoryDaoImpl or InMemoryUserDetailsManager configured by the <user-service> and <user> elements. The UserDetailsService is responsible for returning a UserDetails instance.
Authorization
The final filter in the default security filter chain, FilterSecurityInterceptor, is responsible for deciding whether to grant or deny access to a protected resource. By the time the request reaches this filter, the principle (i.e user) has already been authenticated and possesses a list of GrantedAuthority (or roles).The diagram below shows the authorization request flow for the default configuration.
Spring Security provides three implementations of AccessDecisionManager which cover majority of scenarios and it is always possible to write your own.
- AffirmativeBased - If any voter grants access, access is immediately granted regardless of previous denials.
- ConsensusBased - The majority vote governs the decision.
- UnanimousBased - All voters must grant access, otherwise access is denied.
All filters information is not provided.
ReplyDeleteAll filters information is not provided.
ReplyDelete