How does Spring Security work internally ?
In a world where cyber-threats are in a constant evolution, security is an ever-moving target which is becoming increasingly challenging for businesses of all types, requiring them to pursue a proactive, comprehensive and system-wide security strategy in order to protect their assets.
One of the powerful security frameworks out on the market is Spring Security. as Pivotal defines it, “Spring Security is a framework that provides authentication, authorization, and protection against common attacks. With first class support for both imperative and reactive applications, it is the de-facto standard for securing Spring-based applications.”
In this article, we are going to have an insight on Spring Security’s high level architecture, how it handles the incoming requests for imperative applications.
Note that this article is written in accordance with Spring Security 5.3.1.RELEASE documentation. Prior versions may involve slight differences.
Authentication vs Authorization
First, let’s establish the difference between Authentication and Authorization. Although both the terms are often used in conjunction with each other in terms of security, there is a fundamental difference between them.
Authentication is the process of validating your credentials (such as User username and password) to verify your identity and whether you are the person you claim to be, or not. Or simply put, Authentication is about knowing who you are.
Authorization is the process to determine whether the authenticated user has access to a particular resource. or simply put, Authorization is about knowing whether you have the right to access what you want or not.
Spring Security architecture
Here is a simplified and comprehensive figure of Spring Security’s architecture :
Let’s define each element of the figure :
SecurityFilterChain : Spring Security maintains a filter chain internally where each of the filters is invoked in a specific order. Each filter will try to process the request and retrieve authentication information from it. For example, we have the UsernamePasswordAuthenticationFilter which is used in case of a POST request with username and password parameters (typically with a login page).
the ordering of the filters is important as there are dependencies between them. You can read here if you want to know more about filters and ordering. Or, you can directly navigate to the FilterComparator class to see the implementation details.
AuthenticationManager : This is an interface whose implementation (ProviderManager) has a list of configured AuthenticationProviders that are used for authenticating user requests.
AuthenticationProvider : An AuthenticationProvider is an abstraction for fetching user information from a specific repository (like a database, LDAP, custom third party source, etc.). It uses the fetched user information to validate the supplied credentials. (e.g: DaoAuthenticationProvider, LdapAuthenticationProvider, OpenIDAuthenticationProvider …)
When talking about AuthenticationProvider, we usually come across the UserDetailsService. There is often a confusion between both, although they have different roles. AuthenticationProvider authenticates(compares) the request credentials against system credentials. UserDetailsService is purely a DAO for user data and performs no other function other than to supply that data that match with user provided Username. It does not tell the application whether authentication is successful or failed.
Authentication Flow
Now that we know the fundamental elements of Spring Security’s architecture, let’s describe the execution of the authentication flow :
When an incoming request reaches our system, Spring Security starts by choosing the right security filter to process that request (Is the request a POST containing username and password elements? => UsernamePasswordAuthenticationFilter is chosen. Is the request having a header “Authorization : Basic base64encoded(username:password)”? => BasicAuthenticationFilter is chosen… and so the chaining goes on). When a filter had successfully retrieved Authentication informations from the request, the AuthenticationManager is invoked to authenticate the request. via its implementation, the AuthenticationManager goes through each of the provided AuthenticationProvider(s) and try to authenticate the user based on the passed Authentication Object. when the Authentication is successful, and a matching user is found, an Authentication Object containing the user Authorities (which will be used to manage the user access to the system’s resources) is returned and set into the SecurityContext.
Conclusion
In this article, we presented how Spring Security works and how it handles internal security of your application. Of course, there is more to it as we delve deeper.
The key takeaway of Spring Security is that it involves a comprehensive architecture that handles both authentication of the incoming requests and authorization to a specific endpoint or method depending on the user authorities.
Separate articles are planned to present implementation details of security strategies (Basic Auth, stateles Auth…) and how to use them in a spring boot application.
