Scribd
Upload
52 views23 pages

Architecture Deep Dive in Spring Security: Joe Grandja @joe - Grandja

Spring Security provides authentication, authorization, and exception handling. Authentication verifies users through username and password. Authorization uses roles to control access permissions. When access is denied or authentication is required, exception handlers trigger the appropriate response like starting the login process.

Uploaded by

was reuy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
52 views23 pages

Architecture Deep Dive in Spring Security: Joe Grandja @joe - Grandja

Spring Security provides authentication, authorization, and exception handling. Authentication verifies users through username and password. Authorization uses roles to control access permissions. When access is denied or authentication is required, exception handlers trigger the appropriate response like starting the login process.

Uploaded by

was reuy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Architecture Deep Dive

in
Spring Security

Joe Grandja
@joe_grandja
github.com/jgrandja
3 Key Areas in Security

• Authentication

• Authorization

• Exception Handling

@spring_io
#springio17
User Database

Username Password Authorities

joe@example.com password ROLE_USER

rob@example.com password ROLE_USER

admin@example.com password ROLE_USER, ROLE_ADMIN

@spring_io
#springio17
DEMO

@spring_io
#springio17
AUTHENTICATION

AUTHORIZATION

EXCEPTION HANDLING

@spring_io
#springio17
Authentication Filter

@spring_io
#springio17
Authentication
Authentication
Principal: joe@example.com
Credentials: password
Authorities: ——
Authenticated: FALSE

Authentication
Principal: UserDetails
Credentials: ——
Authorities: ROLE_USER
Authenticated: TRUE

public interface Authentication extends Principal, Serializable {




Object getPrincipal();


Object getCredentials();


Collection<? extends GrantedAuthority> getAuthorities();


. . .

}

@spring_io
#springio17
UserDetails / Service
public interface UserDetailsService {


UserDetails loadUserByUsername(String username) 

throws UsernameNotFoundException;


}

Authentication public interface UserDetails extends Serializable {



Principal: UserDetails 

Credentials: —— String getUsername();


Authorities: ROLE_USER
String getPassword();

Authenticated: TRUE 

Collection<? extends GrantedAuthority> getAuthorities();


. . .

}

@spring_io
#springio17
Security Context

public interface SecurityContext extends Serializable {




Authentication getAuthentication();


void setAuthentication(Authentication authentication);


}

SecurityContextHolder.getContext().setAuthentication(authenticated);

@spring_io
#springio17
Authentication Recap

• Authentication Filter creates an “Authentication Request" and


passes it to the Authentication Manager

• Authentication Manager delegates to the Authentication


Provider

• Authentication Provider uses a UserDetailsService to load the


UserDetails and returns an “Authenticated Principal”

• Authentication Filter sets the Authentication in the


SecurityContext

@spring_io
#springio17
AUTHENTICATION

AUTHORIZATION

EXCEPTION HANDLING

@spring_io
#springio17
Filter Security Interceptor
Authentication
Principal: UserDetails
Credentials: ——
Authorities: ROLE_USER
Authenticated: TRUE

Request URI: /messages/inbox

Security Metadata

Request Pattern: /messages/**


Config Attributes: ROLE_USER

@spring_io
#springio17
Access Decision
Authentication
Principal: UserDetails
Credentials: ——
Authorities: ROLE_USER
Authenticated: TRUE

Security Metadata

Request Pattern: /messages/**


Config Attributes: ROLE_USER

Request URI: /messages/inbox

@spring_io
#springio17
Authorization Recap

• FilterSecurityInterceptor obtains the “Security


Metadata” by matching on the current request

• FilterSecurityInterceptor gets the current Authentication

• The Authentication, Security Metadata and Request is


passed to the AccessDecisionManager

• The AccessDecisionManager delegates to it's


AccessDecisionVoter(s) for decisioning

@spring_io
#springio17
AUTHENTICATION

AUTHORIZATION

EXCEPTION HANDLING

@spring_io
#springio17
Access Denied
Authentication
Principal: UserDetails
Credentials: ——
Authorities: ROLE_USER
Authenticated: TRUE

Request URI: /admin/messages

Security Metadata

Request Pattern: /admin/**


Config Attributes: ROLE_ADMIN

@spring_io
#springio17
Access Denied Handler

public interface AccessDeniedHandler {


void handle(HttpServletRequest request, HttpServletResponse response,



AccessDeniedException accessDeniedException) throws IOException, ServletException;


@spring_io
#springio17
“Unauthenticated”
Authentication

Principal: anonymousUser

Request URI: /messages/inbox

Security Metadata

Request Pattern: /messsages/**


Config Attributes: ROLE_USER

@spring_io
#springio17
Start Authentication

WWW-Authenticate: Basic realm=spring

public interface AuthenticationEntryPoint {




void commence(HttpServletRequest request, HttpServletResponse response, 

AuthenticationException authException) throws IOException, ServletException;


}

@spring_io
#springio17
Exception Handling Recap

• When "Access Denied" for current Authentication, the


ExceptionTranslationFilter delegates to the
AccessDeniedHandler, which by default, returns a 403
Status.

• When current Authentication is "Anonymous", the


ExceptionTranslationFilter delegates to the
AuthenticationEntryPoint to start the Authentication
process.

@spring_io
#springio17
Summary

Authentication

Authorization

Exception Handling

@spring_io
#springio17
Spring Security Filter Chain

@spring_io
#springio17
Q&A

github.com/jgrandja/messaging-sample

@spring_io
#springio17

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy