I’ve been using Spring Security for several years but it’s only in the last couple of weeks that I really needed to dive into the internals of how security worked. So I broke open a few books and dived in. Here is what I found.
This post isn’t meant to go over every part in detail but to cover the broad how everything is connected and the work flow of the Spring Security.
Spring security links into the the servlet filters with the entries in the web.xml to redirect specific calls like this.
Here is the minimal Spring Security setup xml
<?xml version= "1.0" encoding ="UTF-8"?>
<beans xmlns= "/www.springframework.org/schema/beans" xmlns:sec="/www.springframework.org/schema/security"
xsi:schemaLocation= "/www.springframework.org/schema/beans /www.springframework.org/schema/beans/spring-beans-3.1.xsd
<sec:http auto-config= "true" use-expressions ="true">
<sec:intercept-url pattern="/userpage" access="hasRole('ROLE_USER')" />
<sec:intercept-url pattern="/blocked" access= "hasRole('ROLE_NO_ONE_HAS')" />
<sec:intercept-url pattern="/adminpage" access= "hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/hello" access= "hasRole('ROLE_USER')" />
<sec:intercept-url pattern="/**" access= "hasRole('ROLE_USER')" />
<sec:user authorities="ROLE_ADMIN" name="brian" password="password" />
<sec:user authorities="ROLE_USER" name="holly" password="password" />
<sec:user authorities="ROLE_USER" name="jacob" password="password" />
<sec:user authorities="ROLE_USER" name="katie" password="password" />
<sec:user authorities="ROLE_USER" name="gavin" password="password" />
This enabled Spring Servlet to handle all requests with the default springSecurityFilterChain. The Spring default filter chain is what handles all requests and figures out what to do. Here is the default filter chain ..
Security filter chain: [
SecurityContextPersistenceFilter: This filter checked to see if the Security context is in the session and if it is it retrieves it for the rest of the filters. If it is not then it create one and passes it along.
LogoutFilter: The next filter checks to see if the request if for /j_spring_security_logout. If it is then it handles the logout through the default logout handler. If it is not a logout request it passes the request on to the next filter.
UsernamePasswordAuthenticationFilter: The Username password filter checks for the url /j_spring_security_check if it is it would try to look for j_username and j_password and attempt to authenticate them through the AuthenticationManager.
DefaultLoginPageGeneratingFilter: If the request is for /spring_security_login it will return a default login form page other wise it will pass to the next filter.
BasicAuthenticationFilter: This filter looks for basic authentication headers and if found attempts to process the login other wise passes the request to the next filter.
RequestCacheAwareFilter: The request cache aware filter will check to see if there was a previous request url and then sends the request to that url. Â If not passes to the next filter.
SecurityContextHolderAwareRequestFilter: Â This just wraps the request with a SecurityContextHolderAwareRquestWrapper and passes the request to the next filter.
AnonymousAuthenticationFilter: Â This checks to see if there is a active authentication object if not this adds an anonymous authentication object and passes the request on.
SessionManagementFilter: Applies any session management filters as needed. Â This protects against Session Fixation attacks and will also restrict the numbers of sessions that one user can have open at a time as configured.
ExceptionTranslationFilter: This filter passes the request on to the next filter. Â Upon the return from the filterSecurityInterceptor it will check for exceptions and redirect as needed.
FilterSecurityInterceptor: Â This is where the security is applied. Â The requests are sent through a list of configured URL’s and checked for matches. Â Upon a match it will check the authentication object for authorities as needed and either send a Access Denied Exception or allow the access to complete bases on the response from the AccessDecisionManager.
The AccessDecisionManager is in charge of deciding if a authentication object is allowed or not to access a resource. Â The AccessDecisionManager delegates to the AccessDecisionVoter objects witch compares the granted authorities in the authentication object with the security configuration.