Preface

• Prerequisites:
  • Mastering the concepts of authentication, authorization, and OAuth2.
  • Security requires a Java 8 or higher Runtime Environment.
  • This documentation is using Spring Security version 6.2.0
• Goals
  • The architecture of Spring Security
  • Details of the classes and interfaces used in Spring Security.
  • Protection Against Exploits
• Spring Security has two sections dedicated to servlet and reactive

Getting Spring security

• This link describes how to obtain the Spring Security binaries.

Servlet Applications

Architecture within Servlet based applications.

Filters

If you want to understand these concepts clearly, my suggestion is to set up a default Spring Security and then set up debugging in the doFilter methods of the DelegatingFilterProxy and FilterChainProxy classes.

1. DelegatingFilterProxy

2. FilterChainProxy

3. SecurityFilterChain

4. Handling Security Exceptions

5. Adding a Custom Filter to the Filter Chain

Quizzes

• With the default configuration of Spring Security, which filter is responsible for executing the authentication task?
• How to register a SecurityFilterChain in Spring Boot? When registering a SecurityFilterChain, which class is responsible for the registration? Is it FilterChainProxy or DelegatingFilterProxy?
• Can you register multiple SecurityFilterChains?
• Suppose I have two SecurityFilterChains with configurations as follows:

• If a URL of /api/messages/ is requested, which SecurityFilterChain is used? Does the remaining SecurityFilterChain execute? Explain why it does or does not execute.

References

• https://docs.spring.io/spring-security/reference/servlet/architecture.html
• https://reflectoring.io/spring-security/
• https://www.baeldung.com/spring-security-custom-filter
• https://medium.com/@rameez.s.shaikh/spring-boot-3-spring-security-6-in-depth-understanding-927bb5e826ee
• https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/filter/DelegatingFilterProxy.html (OPTIONAL)

Authentication

Authentication Mechanisms

Some mechanisms supported by Spring Security.

1. Username and Password

2. Oauth 2.0 Login

3. SAML 2.0 Login (OPTIONAL)

Authentication Architecture

This architecture is composed of various Authentication filters (BasicAuthenticationFilter, BearerAuthenticationFilter, AbstractAuthenticationProcessingFilter). Some filters may alter or perform additional tasks, but you can envision the basic authentication architecture in Spring Security like this

1. Authentication Filter

• How some authentication filters work, such as BasicAuthenticationFilter, BearerAuthenticationFilter, AbstractAuthenticationProcessingFilter, or any other authentication filter.
• Authentication interfaces
• AuthenticationManager
• ProviderManager
• Research some AuthenticationProviders like DaoAuthenticationProvider, JwtAuthenticationProvider, or any other authentication provider implements AuthenticationProvider.
• SecurityContext
• How to handle authentication success.
• How to handle authentication failure.
• AuthenticationEntryPoint

2. Authentication Events

Quizzes

References

• https://docs.spring.io/spring-security/reference/servlet/authentication/architecture.html
• https://reflectoring.io/spring-security/
• https://medium.com/@rameez.s.shaikh/spring-boot-3-spring-security-6-in-depth-understanding-927bb5e826ee
• https://howtodoinjava.com/spring-security/spring-security-tutorial/