Spring Security Overview

Spring Security is a certification authorization framework that supports authentication modes such as HTTP BASIC authentication (based on IETF rfc-based standard),HTTP Digest authentication (based on IETF rfc-based standard), form-based authentication (for simple user interface),OpenID authentication, and so on. Spring Security enables the current system to quickly integrate these authentication mechanisms or implement its own set of authentication mechanisms.

1. Spring Security Usage.

Spring Security3 and later provide Java Config configuration, but I found the XML configuration is more easily to understand, so this article is based on XML configuration.

1.1 Pom Dependencies.

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>1.5.4.RELEASE</version>
</parent>

<dependencies>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>
</dependencies>

Since Spring Boot is used, you need to enable Spring Security with the @EnableWebSecurity annotation and specify that its configuration file is spring-security.xml in the classpath directory.

@Configuration
@EnableWebSecurity
@ImportResource(locations = "classpath:spring-security.xml")
public class SecurityConfig {
}

1.2 XML Configuration.

The officially provided namespace security is introduced in spring-security.xml and then simply configured to intercept all requested urls, which must be accessed by users with User privileges.

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd">

    <security:http >
        <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
        <security:form-login/>
        <security:http-basic/>
        <security:logout/>
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider>
            <security:user-service>
                <security:user name="user" password="123456" authorities="ROLE_USER"/>
                <security:user name="admin" password="123456" authorities="ROLE_USER, ROLE_ADMIN"/>
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>

</beans>

1.3 Access Test.

When you access any url in this web application, spring security will generate a login page and redirect your access to this login page. Only after you enter user:123456 in the login form then you can access it.

2. How Does Spring Security Intercept Requests.

2.1 Traditional Filter.

The traditional filter configuration in web.xml is as following.

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

From above configuration we can see that every request ( /* ) will be filtered by the org.springframework.web.filter.DelegatingFilterProxy class.

2.2 Spring Security Filter.

The breaking point shows that the DelegatingFilterProxy actually represents the FilterChainProxy class, which has private List<SecurityFilterChain> filterChains Global variable, so what’s the SecurityFilterChain?

public interface SecurityFilterChain {
    boolean matches(HttpServletRequest request);
    List<Filter> getFilters();
}

From the source code, it can be judged that the SecurityFilterChain is a set of Filter chain corresponding to a set of rules. Then, look at the getFilters source code, it will obtain a Filter chain corresponding to a set of rules configured by security:http xml tag in the configuration file.

private List<Filter> getFilters(HttpServletRequest request) {
    for (SecurityFilterChain chain : filterChains) {
        if (chain.matches(request)) {
           return chain.getFilters();
        }   
    }
    return null;    
}