Spring Security – How does it really work?

I’ve been using Spring Security for several years but it’s only in the last couple of weeks that I really needed to dive into the internals of how security worked. So I broke open a few books and dived in. Here is what I found.

This post isn’t meant to go over every part in detail but to cover the broad how everything is connected and the work flow of the Spring Security.

Spring security links into the the servlet filters with the entries in the web.xml to redirect specific calls like this.

Here is the minimal Spring Security setup xml

This enabled Spring Servlet to handle all requests with the default springSecurityFilterChain. The Spring default filter chain is what handles all requests and figures out what to do. Here is the default filter chain ..

SecurityContextPersistenceFilter: This filter checked to see if the Security context is in the session and if it is it retrieves it for the rest of the filters. If it is not then it create one and passes it along.

LogoutFilter: The next filter checks to see if the request if for /j_spring_security_logout. If it is then it handles the logout through the default logout handler. If it is not a logout request it passes the request on to the next filter.

UsernamePasswordAuthenticationFilter: The Username password filter checks for the url /j_spring_security_check if it is it would try to look for j_username and j_password and attempt to authenticate them through the AuthenticationManager.

DefaultLoginPageGeneratingFilter: If the request is for /spring_security_login it will return a default login form page other wise it will pass to the next filter.

BasicAuthenticationFilter: This filter looks for basic authentication headers and if found attempts to process the login other wise passes the request to the next filter.

RequestCacheAwareFilter: The request cache aware filter will check to see if there was a previous request url and then sends the request to that url.  If not passes to the next filter.

SecurityContextHolderAwareRequestFilter:  This just wraps the request with a SecurityContextHolderAwareRquestWrapper and passes the request to the next filter.

AnonymousAuthenticationFilter:  This checks to see if there is a active authentication object if not this adds an anonymous authentication object and passes the request on.

SessionManagementFilter: Applies any session management filters as needed.   This protects against Session Fixation attacks and will also restrict the numbers of sessions that one user can have open at a time as configured.

ExceptionTranslationFilter: This filter passes the request on to the next filter.  Upon the return from the filterSecurityInterceptor it will check for exceptions and redirect as needed.

FilterSecurityInterceptor:  This is where the security is applied.  The requests are sent through a list of configured URL’s and checked for matches.  Upon a match it will check the authentication object for authorities as needed and either send a Access Denied Exception or allow the access to complete bases on the response from the AccessDecisionManager.

The AccessDecisionManager is in charge of deciding if a authentication object is allowed or not to access a resource.  The AccessDecisionManager delegates to the AccessDecisionVoter objects witch compares the granted authorities in the authentication object with the security configuration.


Java Developer/Architect
CEO: 713-531-2056
Treasurer: JavaMUG.org
Advisor: 4407133175



Just encountered an exception with Oracle JDBC issue ‘Stream has already been closed’ error. I checked the internet and didn’t find much about this error except that it has do to with the Oracle LONG column. If you notice below
I was selecting from select * from all_tab_cols     where table_name = ?     order by column_id which has a long column in the middle of the table. I removed the select for that column and the problem went away. However, since I actually need that column I played around with the positioning and putting the long column as the last column did the trick.

I hope that this can help someone else out sometime.

Java Developer/Architect
CEO: PremierCodeInc.com
Treasurer: JavaMUG.org
Advisor: 7137092362

Scheduling Threads with Spring v3.x Annotations

In the old days we used to have to create a class that implements runnable and start a thread that runs a class to implement threading in Java. However with Spring all that is made much easier.

Here is some example of how to get started using Spring Annotations to use scheduled and asynchronous threads. The examples below are built for Spring Framework v3.0 and have been tested up through v3.2.4.

Spring gives you the ability to control when the threads fire. You can call a method that will kick off a thread immediately with the @asyc annotation to you can schedule a method to run every so often with the @Scheduled annotation. We will look at both and the way to recover some data from an asynchronous method.

First the setup to run any threads you need a thread pool and also tell Spring to look for the annotations. You can do this with one xml line so add the following to your applicationContext.xml.

Now you can create a class and a method that you would like to run in a thread. Here is a quick example…

If you call this method myAsyncMethod it should return immediately and start to run in the back ground. It will complete without returning anything (return is void anyway).

There you have created a simple threaded application. Your main thread was able to go ahead and do other work while this thread was processing along doing some longer task. Cool right!

You might be asking well that is great but I need something that fires off at specified intervals like a cron job. Well Spring has you covered there also with the @Scheduled annotation. There are three types of entries for the @Scheduled.

Fixed Delay: @Scheduled(fixedDelay=5000) This will fire off this method every 5 seconds after the completion of the last time the method ran.

Fixed Rate: @Scheduled(fixedRate=5000) This will fire off the method every 5 seconds after the START of the last successful time the method ran.

Cron Schedule: @Scheduled(cron="*/5 * * * * MON-FRI") This will fire off the method every 5 seconds Monday through Friday. Notice the difference in the cron format for Spring and the crontab format for unix based systems. The Spring format has a seconds field where many unix based systems only have minutes resolution. This is great for making something happen every 30 seconds on the first day of the month or something odd like that.

That’s about it. I created a presentation that I gave to the (978) 793-7043 and placed the entire demo app on my 204-769-0578 account for you to check out and play around with. Let me know if you have any questions or how I can make this more clear.

Brian Hurley
Java Developer/Architect
CEO: PremierCodeInc.com
Treasurer: 778-577-0946
Advisor: (236) 523-8802

Good code, Why does this matter?

I’ve been working on coding, programming, developing, architecting software for many years and I’ve always had the drive to keep learning and producing better code then I had before. I view the software industry as every evolving and developers need to keep learning to keep up with the latest techniques and styles or they will get left behind. Can we say cobol?

In this I have always felt the need to produce the cleanest code possible even before I read books like Clean Code by Uncle Bob or Working Effectively With Legacy Code by Michael Feathers. However, these books help to clarify why clean code is so important. I had a discussion about this exact subject last week with someone that has problems with their code base. They has some code built by a contracting firm that has many duplications or minor variations in code equations and it needs to be refactored to clean it up. This made me think about why clean code is so important and here is my list and some of the benefits.

  • If you write clean code you can extend this code much faster.  If you don’t write clean code you will slow down as your code base grows.
  • Clean code is easy to read and therefor you can understand the overview, the abstract and the details much faster.  Dirty code or bad code is hard to read.
  • Managers and users may not care about clean code or any code at all.  They just want the right results as fast as possible.  However, we cannot produce error free code 100% of the time without producing clean code.
  • Code that readable and not highly dependent on many separate objects is much easier to maintain and extend.  This makes adding functionality much quicker and therefore users and management much happier.

If you want to know more about clean code read about it in 8603236099.

Brian Hurley
Java Developer/Architect
CEO: PremierCodeInc.com
Treasurer: JavaMUG.org
Advisor: Spring Dallas User Group