Easy way to learn Spring Security 5

5 min readDec 27, 2019

Introduction

Spring Security is a framework that focuses on providing both authentication and authorization (or access-controls) to Java applications.

It supports integration with all of the following technology:

HTTP basic access authentication
LDAP (Lightweight Directory Access Protocol)
Kerberos
JOSSO (Java Open Source Single Sign-On)
Automatic remember-me authentication
Form-based authentication
OpenID identity provider
etc..

What is the core concept of spring security?

Authentication

Authentication is about validating your credentials like User Name/User ID and password to verify your identity. The system determines whether you are what you say you are using your credentials.

Authorization

Authorization is the process to determine whether the authenticated user has access to particular resources. It verifies your rights to grant you access to resources such as information, databases, files, etc. Authorization usually comes after authentication which confirms your privileges to perform.

How Spring Security Works?

In a J2EE application servlet application, a client can call a servlet by configuring servlet with its corresponding URL mappings(i.e servlet-mapping) in web.xml file. Whenever there is a request to that specific URL, That request is sent to the servlet which would handle the request and proving the required response.

Servlet Filter configuration in web.xml

But if we plan to secure that servlet such that only authorized and authenticated user can access the servlet then we have to implement servlet filters or chain of filters which will intercept any request coming to the servlet and can check if the user who has requested the response from that servlet is indeed valid.

Spring security works in the same way under the hood, The difference is we have to write far less code to implement Security into our application.

Integrate Spring Security in Spring MVC or Non-Spring Boot application

To integrate Spring security with a Spring MVC web application just declares DelegatingFilterProxy as a servlet filter to intercept any incoming request.

Integrate Spring Security in web.xml

but in spring boot this above configuring will be by default added to our project when we introduce spring-boot-starter-security dependency into our project

Security Filter Chain

Filter Ordering

The order that filters are defined in the chain is very important. Irrespective of which filters you are acing, the order should be as follows:

ChannelProcessingFilter, because it might need to redirect to a different protocol
SecurityContextPersistenceFilter, so a SecurityContext can be set up in the SecurityContextHolder at the beginning of a web request, and any changes to the SecurityContext can be copied to the HttpSession when the web request ends (ready for use with the next web request)
ConcurrentSessionFilter, because it uses the SecurityContextHolder functionality but needs to update the SessionRegistry to reflect ongoing requests from the principal
Authentication processing mechanism UsernamePasswordAuthenticationFilter, CasAuthenticationFilter, BasicAuthenticationFilter, etc — so that the SecurityContextHolder can be modified to contain a valid Authentication request token
The SecurityContextHolderAwareRequestFilter, if you are using it to install a Spring Security aware HttpServletRequestWrapper into your servlet container
RememberMeAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, and the request presents a cookie that enables remember-me services to take place, a suitable remembered Authentication object will be put there
AnonymousAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, an anonymous Authentication object will be put there
ExceptionTranslationFilter, to catch any Spring Security exceptions so that either an HTTP error response can be returned or an appropriate AuthenticationEntryPoint can be launched
FilterSecurityInterceptor, to protect web URIs and raise exceptions when access is denied

Spring Security Workflow

Spring Security Code Walkthrough

AuthenticationFilter

The Servlet API based authentication process commonly consists of the following stages:

Expose Authentication from the request (supply);
If there is no supported Authentication provided then proceed filter chain;
If there is supported Authentication then try to authenticate it with AuthenticationManager;
If the authentication succeeds then proceed filter chain with “authenticated” Authentication;
If the authentication failed then provide an appropriate response with AuthenticationEntryPoint.

ProviderManager

Its is the implementation of AuthenticationManager Attempts to authenticate the passed Authentication object

AuthenticationProviders Implementation Class

Fetching User Details from UserDetailsService

Core Components

SecurityContextHolder, to provide access to the SecurityContext.
SecurityContext, to hold the Authentication and possibly request-specific security information.
Authentication, to represent the principal in a Spring Security-specific manner.
GrantedAuthority, to reflect the application-wide permissions granted to a principal.
UserDetails, to provide the necessary information to build an Authentication object from your application’s DAOs or other sources of security data.
UserDetailsService, to create a UserDetails when passed in a String-based username (or certificate ID or the like).

Conclusion

In this post, we have seen some of the basic parts of Spring Security:

What happens when you start your Spring app with Spring Security.
How Spring Security protects your application if you make mistakes.
Step by step Spring Security Workflow
Step by step Spring Security code walkthrough for default implementation.