Spring Security

Spring Security provides a simple configuration for some default out-the-box setup to secure an application.
1. Security context XML configuration file
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/ spring-security-3.0.xsd">
<http auto-config="true">
<intercept-url pattern="/*" access="ROLE_USER"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user authorities="ROLE_USER" name="guest" password="guest"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>


The above configuration uses the Spring Security XML namespace elements that specifies many default security options.

The Spring Security architecture relies heavily on the use of delegates and servlet filters to provide layers of functionality around the context of a web application request. These are instantiated through declaring the DelegatingFilterProxy within the web.xml file.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filterclass>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The name springSecurityFilterChain is intentional as the DelegatingFilterProxy will look for a bean in the Spring WebApplicationContext of the same name.

The automatic configuration of the http element in the security configuration file automatically configures 10 servlet filters, which are applied in sequence through the use of a javax.servlet.FilterChain.

filter namedescription
SecurityContextPersistenceFilter Loads and stores the SecurityContext from the SecurityContextRepository. The SecurityContext represents the user's secured, authenticated session.
LogoutFilterChecks a request for the virtual URL specified as the logout URL (by default, /j_spring_security_logout), and logs the user out if there is a match.
UsernamePasswordAuthenticationFilterChecks a request for the virtual URL used for form-based authentication with username and password (by default, /j_spring_security_check), and attempts to authenticate the user if there is a match.
DefaultLoginPageGeneratingFilterChecks a request for the virtual URL used for form-based or OpenID-based authentication (by default, /spring_security_login) and generates HTML used to render a functional login form.
BasicAuthenticationFilterChecks a request for the HTTP basic authentication headers and processes them.
RequestCacheAwareFilterUsed after a successful login to reconstitute the user's original request that was intercepted by an authentication request.
SecurityContextHolderAwareRequestFilterWraps the HttpServletRequest with a subclass (SecurityContextHolderAwareRequestWrapper) that extends HttpServletRequestWrapper. This provides additional context to request processors further down the filter chain.
AnonymousAuthenticationFilterIf the user hasn't already been authenticated by the time this filter is called, an authentication token is associated with the request indicating that the user is anonymous.
SessionManagementFilterHandles session tracking based on authenticated principals, helping to ensure that all sessions associated with a single principal are tracked.
ExceptionTranslationFilterHandles default routing and delegation of expected exceptions that occur during processing of a secured request.
FilterSecurityInterceptorIt facilitates determination of authorization and access control decisions, delegating decisions on authorization to an AccessDecisionManager.

Many of the above filters can be explicitly included or excluded from the configuration. It is also possible to construct the filter chain from scratch to provide maximum flexibility.

The auto-config attribute of the http element is used to configure three authentication related functions in Spring Security 3:
  • HTTP basic authentication
  • HTTP form authentication
  • Logout 
In previous releases of Spring Security, the auto-config attribute provided a lot more configuration.

Authentication 

When a user submits a login request, it is intercepted by the UsernamePasswordAuthenticationFilter. This filter can be configured by the <form-login> sub-element of the http element but using auto-config will automatically add it.
The UsernamePasswordAuthenticationFilter extracts the username and password from the request and constructs an UsernamePasswordAuthenticationToken implementation of Authentication. It then delegates to an AuthenticationManager to perform the authentication.
The default implementation of AuthenticationManager supports configuration of one or more AuthenticationProvider implementations. The </authentication-provider> declaration will instantiate the default DaoAuthenticationProvider implementation and wire it to the AuthenticationManager.
The DaoAuthenticationProvider delegates to an implementation of UserDetailsService such as the default InMemoryDaoImpl or InMemoryUserDetailsManager configured by the <user-service> and <user> elements. The UserDetailsService is responsible for returning a UserDetails instance.




Authorization

The final filter in the default security filter chain, FilterSecurityInterceptor, is responsible for deciding whether to grant or deny access to a protected resource. By the time the request reaches this filter, the principle (i.e user) has already been authenticated and possesses a list of GrantedAuthority (or roles).
The diagram below shows the authorization request flow for the default configuration.
As authorization is a binary decision, the filter asks an implementation of AccessDecisionManager such as the default AffirmativeBased to decide() whether to grant or deny access. The AffirmativeBased implementation provides an authorization decision based on AccessDecisionVoter implementations.

Spring Security provides three implementations of AccessDecisionManager which cover majority of scenarios and it is always possible to write your own.
  • AffirmativeBased - If any voter grants access, access is immediately granted regardless of previous denials.
  • ConsensusBased - The majority vote governs the decision.
  • UnanimousBased - All voters must grant access, otherwise access is denied.


2 comments: