Security - Ga-3tan/AMT_Project GitHub Wiki

Spring Security class diagram

Here you can have an overview of how spring security works :

Security and authentication was a very important part of our project and we implemented it using Spring Security. The diagram shows the main classes and their interactions.

Components :

Authentication Manager : The main job of this component is to delegate the authenticate() call to the correct AuthenticationProvider. (It is placed inside WebSecurityConfig)

Custom Authentication Provider : implementation of the interface AuthentificationProvider. An AuthenticaionProvider has an authenticate method which takes an Authentication object and performs authentication on it. If authentication fails, then it throws an Authentication Exception.

Custom Authentication Success Handler : On successful authentication, method onAuthentificationSuccess is called.

JwtRequestFilter : Its a Filter in the FilterChain which which is responsible for verifying that the authenticated user's JWT token is valid and has not expired. This filter is an implementation of OncePerRequestFilter, and is executed once per HTTP request.

JwtUtils : This is a utilitarian class for the control of the JWT token.

LeaftConfig : This is a configuration class for Thymeleaf extra security and is used to be able to use methods relating to authentication inside views.

WebSecurityConfig : This is the heart of spring security, where everything is managed. It takes care of defining rules for our HTTP endpoints, defining the Authentication Manager and Authentication Provider, and defining the Filter for the FilterChain.

Security of secrets

In our project, all the secrets relating to the configuration of the S3 and the authentication microservice are placed in the system environment variables or in the environment variables of our IDE (IntelliJ).