Spring Authentication

(Cheat Sheet by Michelle Ferreirae)

Ahuthentication

• Authentication (or “access control”) is a process to verify the identity of a particular user.

  • In Spring, the primary imported code blocks used are AuthenticationManager:

public interface AuthenticationManager {

  Authentication authenticate(Authentication authentication)
    throws AuthenticationException;
}

and an implemented ProviderManager and a series of AuthenticationProvider instances:

public interface AuthenticationProvider {

	Authentication authenticate(Authentication authentication)
		throws AuthenticationException;

	boolean supports(Class<?> authentication);
}

ProviderManagers can have children which in turn have their own respective AuthenticationProviders.

• The AuthenticationManagerBuilder class is used for quickly setting up authentication features, and uses the @Autowired annotation to build AuthenticationManagers.

Authorization

• As opposed to authentication, Authorization is the degree of access or modification privilages a given user has. Similarly to the Authentication hierarchy, an AccessDecisionManager may handle multiple instances of AccessDecisionVoter

Servlet Filters

• Client requests to the application go through multiple filters first (determined by container) before the appropriate servlet. Filters are @Beans that have systems of prioritizing their order (by the DEFAULT_ORDER property).
  • As the filters within Spring’s auth system are not accessible to the container, added filters must be FilterRegistrationBeans or else not be made @Beans.
• Spring Security functions as a single filter in this sequence (as FilterChainProxy) but has several layers of sub-filters in alternate alternate chains internally.
  • By default, there are 11 filters in the FilterChainProxy to cover common routes (like /error or /images/**) as well as a wildcard route (/**) for other cases.

Request Matching

• Filter chains have request matchers that determine which set of filters will apply (at the exclusion of others). Within a chain, HttpSecurity further controls authorization.

Method Access

• Spring Security can also further control resource access within a code base (@EnableGlobalMethodSecurity(securedEnables = true)) by annotating particular methods. The following example is from the Spring guide on authorization:

@Service
public class MyService {

  @Secured("ROLE_USER")
  public String secure() {
    return "Hello Security";
  }

}