Overview about request processing in Spring Security

To be able to make authentication and authorization for the requests to the web application, Spring Security must act as an interceptor of these applications. It will intercept and process the requests before those requests are actually processed by the application and return results. In this tutorial, we will find out that before processing the request by application, what does Spring Security do!

First, for you to easily imagine, I will create a new Spring MVC application that supports Spring Security as an example:

Overview about request processing in Spring Security

with Spring Security dependencies as follows:

The security.xml file has the following content:

This security file defines the user “khanh” with the role ROLE_USER to have access to the application with the context path “/”.

Of course, you must also configure the web.xml file to add the Spring Security configuration file.

The first thing I want to say about the request handling process in Spring Security is that we have to talk about the DelegatingFilterProxy class declared in the web.xml file of the application. This is the Java Servlet’s javax.servlet.Filter interface, which acts as an interceptor, filtering all requests to Java web applications. This class is implemented to be managed by the Spring container.

If you have worked with the Java Servlet Filter, you will know that the doFilter() method in this javax.servlet.Filter interface will help us to add code to handle the interceptor, the DelegatingFilterProxy class also uses the doFilter() method to do this.

If you look at the code of the DelegatingFilterProxy class, you will see, actually in the doFilter() method of the DelegatingFilterProxy class, it does nothing. It only delegates filtering through another class, org.springframework.security.web.FilterChainProxy. The FilterChainProxy class also implements the javax.servlet.Filter interface with the doFilter() method. Specifically, what does the FilterChainProxy class do in doFilter() method, similar to the tutorial in Overview about request processing in Spring MVC, I will also modify the application project’s log4j.xml file to log out all the information that Spring Security performs when it authenticates and authorizes!

I will change the level of the loggers for the Spring framework from info to debug in the “3rdparty Loggers” section and root logger the priority from warn to debug. I also declared a logger for the org.springframework.security package of Spring Security.

At this time, the content of log4j.xml file will be as follows:

Now, if you run the application and request to http://localhost:8080, check the console, you will see the following log lines:

Looking at the above log lines, you can see, with our config in the security.xml file, when calling the request to the home page of the application, there are 15 Filter classes called by the FilterChainProxy class to Spring Security can carry out its responsibilities. Each filter has its own functions and tasks, and if you look at the code of the UsernamePasswordAuthenticationFilter class, you will see that this class is responsible for handling authentication in Spring Security. It has a method attemptAuthentication() that calls the authenticate() method of the AuthenticationManager interface to do this.

Overview about request processing in Spring Security

In addition to the AuthenticationManager interface, the common implementation of this interface is the ProviderManager class. The ProviderManager class will call a list of AuthenticationProvider to check support of these AuthenticationProvider and perform authentication.

Overview about request processing in Spring Security

For more details about authentication, please read the code!



To see how authorization works, try clearing the strack trace of the IDE and logging in with the username “Khanh” and the password “123456”.

You’ll see the following log lines:

If you look closely at the logs above, you will see the text “Authorization successful” and the AffirmativeBased class is the class that implements this authorization!

The AffirmativeBased class implements the AccessDecisionManager interface, this is the main interface for authorization in Spring Security!

AccessDecisionManager inteface has 3 implementations and the implementation that we often use is the AffirmativeBased class.

Overview about request processing in Spring Security

If you look at the code of the AffirmativeBased class, you will see in the decide() method of this class, it is looping a list of AccessDecisionVoter to determine whether the user has the right to see the resource they are requesting or not?

Overview about request processing in Spring Security

Read more code, guys! 🙂

Chia sẽ bài viết này ...Share on Facebook
Facebook
0Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin

Add Comment