Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Spring Security Authentication


Security is one of the most vital concerns for any organization.In this article, you will learn about authentication and how to integrate them easily with the Spring MVC application.


One of the fundamental ways to secure a resource is to make sure that the caller iswhothey claim to be. This process of checking credentials and making sure that they are genuine is calledauthentication.

This article will delve into the technical capabilities of Spring Security, specifically authentication. To find the complete code for this article, go to GitHub repository .

The following diagram shows the fundamental process Spring Security uses to address this core security requirement. The figure is generic and can be used to explain all the various authentication methods that the framework supports:

Spring Security Authentication

Spring Security has a series of servlet filters (a filter chain). When a request reaches the server, it is intercepted by this series of filters ( Step 1 in the preceding diagram).In the reactive world (with the new Spring WebFlux web application framework), filters arewrittenquite differently from traditional filters (such as those used in the Spring MVC web application framework). Having said that, the fundamental mechanism remains the same for both.

The Servlet filter code execution in the filter chain keeps skipping until the right filter is reached. Once it reaches the right authentication filter based on the authentication mechanism used, it extracts the supplied credentials (most commonly a username and password) from the caller.

Using the supplied values (here, you have a username and password), the filter(UsernamePasswordAuthenticationFilter ) creates anAuthenticationobject (in the preceding diagram,UsernamePasswordAuthenticationTokenis created with the username and password supplied inStep 2). TheAuthenticationobject created inStep 2is then used to call theauthenticatemethod in the AuthenticationManager interface:

public interface AuthenticationManager { Authentication authenticate(Authentication authentication) throwsAuthenticationException; }

The actual implementation is provided by ProviderManager , which has a list of configured AuthenticationProvider .

public interface AuthenticationProvider { Authentication authenticate(Authentication authentication) throwsAuthenticationException; boolean supports(Class<?> authentication); }

The request passes through various providers and, in due course, tries to authenticate the request. There are a number of AuthenticationProvider interfaces as part of Spring Security.

In the diagram above, AuthenticationProvider requires user details (some providers require this, but some don’t), which are provided in UserDetailsService :

public interface UserDetailsService { UserDetailsloadUserByUsername(String username) throws UsernameNotFoundException; }

UserDetailsService retrieves UserDetails (and implements the User interface) using the supplied username.

If all goes well, Spring Security creates a fully populated Authentication object (authenticate: true, granted authority list, and username), which will contain various necessary details. The Authentication object is stored in the SecurityContext object by the filter for future use.

The authenticate method in AuthenticationManager can return the following:

An Authentication object with authenticated=true , if Spring Security can validate the supplieduser credentials An AuthenticationException , if Spring Security finds that the supplied user credentials are invalid null , if Spring Security cannot decide whether it is true or false (confused state) Setting up Authentication Manager

There are a number of built-in AuthenticationManager in Spring Security that can be easily used in your application. Spring Security also has a number of helper classes, usingwhichyou can set up AuthenticationManager . One helper class is AuthenticationManagerBuilder .

Using this class, it’squiteeasy to set up UserDetailsService against a database, in memory, in LDAP, and so on. If the need arises, you could also have your own custom UserDetailsService (maybe a custom single sign-on solution is already there in your organization).

You can make an AuthenticationManager global, so it will be accessible by your entire application. It will be available for method security and other WebSecurityConfigurerAdapter instances.

WebSecurityConfigurerAdapter is a class that is extended by your Spring configuration file, making it quite easy to bring Spring Security into your Spring application. This is how you set up a global AuthenticationManager using the @Autowired annotation:

@Configuration @EnableWebSecurity public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired public void confGlobalAuthManager(AuthenticationManagerBuilderauth) throws Exception { auth .inMemoryAuthentication() .withUser("admin").password("admin@password").roles("ROLE_ADMIN"); } }

You can also create local AuthenticationManager , which is only available for this particular WebSecurityConfigurerAdapter ,by overriding the configure method,as shown in the following code:

@Configuration @EnableWebSecurity public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilderauth) throws Exception { auth .inMemoryAuthentication() .withUser("admin").password("admin@password").roles("ROLE_ADMIN"); }

Another option is to expose the AuthenticationManager bean by overriding the authenticationManagerBean method:

@Override public AuthenticationManagerauthenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } You can also expose various AuthenticationManager , Authe

Viewing all articles
Browse latest Browse all 12749