Spring Security - vinhtbkit/bkit-kb GitHub Wiki

Understanding Filters

Filter

• The intermediate layer between client requests and servlet ( or Controller)
• Separate business logic with other concerns ( converting, encoding, securities)

ApplicationFilterChain

• Contains a list of filters
• Requests should be applied with each filter, one by one

SecurityFilterChain

• A special type of filter, registered within ApplicationFilterChain
• Handle authentication
• There could be multiple SecurityFilterChain in same application, handle security for different url patterns

AuthenticationManager

• Authenticate an authentication request and returns Authentication if the authentication is valid
• Throws an AuthenticationException if the credentials is invalid
• Returns null if can't decide
• Most common: ProviderManager

AuthenticationProvider

• Decide if the type of Authentication is supported
• Perform authentication

Understanding SecurityContext

Context management

• Just like Application Context which manages Beans, etc... SecurityContext manages security information
• Valid for current thread

SecurityContextHolder

• A convenient helper to manage SecurityContext for current thread

AuthenticationPrincipal

• @AuthenticationPrincipal is an annotation, used to resolve Authentication.getPrincipal()

Common Authentication process overview

Authorization Server

What it does

• Manage clients: id, secret, endpoints, expiry, scopes, grant types...
• Manage, issues tokens
• Provide authentication / authorization endpoints
• Manage users
• Example setup: https://docs.spring.io/spring-authorization-server/docs/1.0.0-SNAPSHOT/reference/html/getting-started.html

Keycloak

• For quick and ease of use setup
• Can separate user domains with realm
• Supports OIDC / SAML protocols

Authorization

Under construction...

Debugging tips

1. Turn on DEBUG/TRACE log level to understand which filters were called
2. Debug into FilterChainProxy 's doFilter method.
3. Pay attention to CORS or CSRF issues
4. When having authorization issues, look for AccessDecisionManager subclasses .
5. Beware of using the legacy spring-security-oauth2: https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide

References

• https://docs.spring.io/spring-security/reference/servlet/architecture.html
• https://docs.spring.io/spring-security/reference/servlet/authentication/architecture.html
• https://docs.spring.io/spring-security/reference/servlet/authorization/architecture.html