Detailed review

The previous article described how HttpSecurity builds filter chains. This article focuses on several major filters.

Authentication filterUsernamePasswordAuthenticationFilter

Parameters have a username, password, go UsernamePasswordAuthenticationFilter, extraction parameters for certification, tectonic UsernamePasswordAuthenticationToken On success, populate Authentication for SecurityContextHolder

Methods the attemptAuthentication AbstractAuthenticationProcessingFilter UsernamePasswordAuthenticationFilter realized his father’s class. This method calls the AuthenticationManager AuthenticationManager to authenticate.

AbstractAuthenticationProcessingFilter the doFilter () method, which will determine whether each request requires authentication. Requests that do not require authentication are allowed directly, and those requiring authentication are blocked.

How do you determine whether you need authentication or not? This is set when we call httpSecurity.formLogin().permitall ().

ProviderManager is the default implementation of AuthenticationManager by providing different AuthenticationProvider implementation classes, Authentication can be performed in various ways. Authentication (Authentication) is called internally to iterate through providers. Call provider.authenticate() to try to authenticate we can implement the AuthenticationProvider interface and rewrite authenticate() to query the database for user names and passwords

PS: The parent above is actually the authentication manager of our custom provider. I won’t post it here

Authentication filterBasicAuthenticationFilter

Authorization is in the header, and the value is a Basic start, walked BasicAuthenticationFilter, extraction parameters for certification, tectonic UsernamePasswordAuthenticationToken On success, populate Authentication for SecurityContextHolder

Authentication filterAnonymousAuthenticationFilter

Give not login user, fill AnonymousAuthenticationToken SecurityContextHolder Authentication

Authorization filterAbstractSecurityInterceptor

The default Filter is FilterSecurityInterceptor, inherited the AbstractSecurityInterceptor Filter interface is realized We usually directly inherited the filter or inherit his parent, A AuthorizeSecurityInterceptor custom. Purpose is to inject a custom authentication manager the AccessDecisionManager, metadata FilterInvocationSecurityMetadataSource and permissions

FilterSecurityInterceptor is in WebSecurityConfigurerAdapter init configuration ()

FilterSecurityInterceptor the doFilter () will be called super. BeforeInvocation (fi) method, internal call authorized manager for authorization

Custom AuthorizeSecurityMetadataSource realized FilterInvocationSecurityMetadataSource getAttributes () method, which can be based on the url to obtain a list of corresponding role

Custom AuthorizeAccessDecisionManager implements the AccessDecisionManager, realized the decide () method to determine whether the current user has the authority to this url

The framework’s default AccessDecisionManager is authorized by voting decisions

  • AffirmativeBased (Spring Security default)

    As long as there is a “yes” vote (ACCESS_GRANTED=1), the vote is “yes”. If there is no yes vote and ACCESS_DENIED=-1, the vote will be no.

  • Consensus-based

    If the number of yes votes is greater than the number of no votes, the vote shall be yes; If the number of yes votes is less than the number of no votes, the vote shall be no; Passed by and opposing votes equal votes, can according to the configuration allowIfEqualGrantedDeniedDecisions (the default is true) to determine whether to pass.

  • Thursday, Thursday, Thursday; Thursday, Thursday; Thursday, Thursday

    No matter how many voters vote “yes”, if they vote “no”, they will vote “no”. If there are no dissenting votes and a voter votes yes, the vote is yes.

Other filters

ExceptionTranslationFilter:

The filter is mainly used to capture processing spring security exceptions thrown, the exception mainly comes from FilterSecurityInterceptorCopy the code

Series of articles: Spring Security in Plain English part 1: Explaining framework Principles in three Sentences

Spring Security (Part 2) : Creating FilterChainProxy

Spring Security (part 3) : How FilterChainProxy Works

Spring Security (part 4) : WebSecurity and HttpSecurity

Link to this article: Spring Security in Plain English (5) : The Authentication and Authorization Process