[Draft] Training Spring Security - vinhtbkit/bkit-kb GitHub Wiki
Preface
- Prerequisites:
- Mastering the concepts of authentication, authorization, and OAuth2.
- Security requires a Java 8 or higher Runtime Environment.
- This documentation is using Spring Security version 6.2.0
- Goals
- The architecture of Spring Security
- Details of the classes and interfaces used in Spring Security.
- Protection Against Exploits
- Spring Security has two sections dedicated to
servlet
andreactive
Getting Spring security
- This link describes how to obtain the Spring Security binaries.
Servlet Applications
Architecture within Servlet based applications.
Filters
If you want to understand these concepts clearly, my suggestion is to set up a default Spring Security and then set up debugging in the
doFilter
methods of theDelegatingFilterProxy
andFilterChainProxy
classes.
1. DelegatingFilterProxy
2. FilterChainProxy
3. SecurityFilterChain
4. Handling Security Exceptions
5. Adding a Custom Filter to the Filter Chain
Quizzes
- With the default configuration of Spring Security, which filter is responsible for executing the authentication task?
- How to register a
SecurityFilterChain
in Spring Boot? When registering aSecurityFilterChain
, which class is responsible for the registration? Is itFilterChainProxy
orDelegatingFilterProxy
? - Can you register multiple
SecurityFilterChains
? - Suppose I have two SecurityFilterChains with configurations as follows:
- If a URL of /api/messages/ is requested, which
SecurityFilterChain
is used? Does the remainingSecurityFilterChain
execute? Explain why it does or does not execute.
References
- https://docs.spring.io/spring-security/reference/servlet/architecture.html
- https://reflectoring.io/spring-security/
- https://www.baeldung.com/spring-security-custom-filter
- https://medium.com/@rameez.s.shaikh/spring-boot-3-spring-security-6-in-depth-understanding-927bb5e826ee
- https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/filter/DelegatingFilterProxy.html (OPTIONAL)
Authentication
Authentication Mechanisms
Some mechanisms supported by Spring Security.
1. Username and Password
2. Oauth 2.0 Login
3. SAML 2.0 Login (OPTIONAL)
Authentication Architecture
This architecture is composed of various Authentication filters (BasicAuthenticationFilter, BearerAuthenticationFilter, AbstractAuthenticationProcessingFilter). Some filters may alter or perform additional tasks, but you can envision the basic authentication architecture in Spring Security like this
1. Authentication Filter
- How some authentication filters work, such as
BasicAuthenticationFilter
,BearerAuthenticationFilter
,AbstractAuthenticationProcessingFilter
, or any other authentication filter. - Authentication interfaces
- AuthenticationManager
- ProviderManager
- Research some AuthenticationProviders like DaoAuthenticationProvider, JwtAuthenticationProvider, or any other authentication provider
implements AuthenticationProvider
. - SecurityContext
- How to handle authentication success.
- How to handle authentication failure.
- AuthenticationEntryPoint
2. Authentication Events
Quizzes
References
- https://docs.spring.io/spring-security/reference/servlet/authentication/architecture.html
- https://reflectoring.io/spring-security/
- https://medium.com/@rameez.s.shaikh/spring-boot-3-spring-security-6-in-depth-understanding-927bb5e826ee
- https://howtodoinjava.com/spring-security/spring-security-tutorial/