Spring Security - vinhtbkit/bkit-kb GitHub Wiki
Understanding Filters
Filter
- The intermediate layer between client requests and servlet ( or
Controller
) - Separate business logic with other concerns ( converting, encoding, securities)
ApplicationFilterChain
- Contains a list of filters
- Requests should be applied with each filter, one by one
SecurityFilterChain
- A special type of filter, registered within
ApplicationFilterChain
- Handle authentication
- There could be multiple SecurityFilterChain in same application, handle security for different url patterns
AuthenticationManager
- Authenticate an authentication request and returns
Authentication
if the authentication is valid - Throws an AuthenticationException if the credentials is invalid
- Returns
null
if can't decide - Most common:
ProviderManager
AuthenticationProvider
- Decide if the type of
Authentication
is supported - Perform authentication
Understanding SecurityContext
Context management
- Just like Application Context which manages Beans, etc... SecurityContext manages security information
- Valid for current thread
SecurityContextHolder
- A convenient helper to manage
SecurityContext
for current thread
AuthenticationPrincipal
@AuthenticationPrincipal
is an annotation, used to resolveAuthentication.getPrincipal()
Common Authentication process overview
Authorization Server
What it does
- Manage clients: id, secret, endpoints, expiry, scopes, grant types...
- Manage, issues tokens
- Provide authentication / authorization endpoints
- Manage users
- Example setup: https://docs.spring.io/spring-authorization-server/docs/1.0.0-SNAPSHOT/reference/html/getting-started.html
Keycloak
- For quick and ease of use setup
- Can separate user domains with
realm
- Supports OIDC / SAML protocols
Authorization
Under construction...
Debugging tips
- Turn on DEBUG/TRACE log level to understand which filters were called
- Debug into
FilterChainProxy
'sdoFilter
method. - Pay attention to CORS or CSRF issues
- When having authorization issues, look for
AccessDecisionManager
subclasses . - Beware of using the legacy spring-security-oauth2: https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide