Spring Security Filter

-
Spring Security is a framework that provides key security mechanism authentication, authorization and and protect application against attack. Spring security 5.3.2 requires a Java 8 or higher Run-time Environment. There is not any need to configure a special Java Authentication and Authorization Service (JAAS) policy file or place Spring Security into common classpath locations. All required files are contained within your application.

 Filter in Spring Security

Spring Security Servlet support is based on Servlet Filters. The behavior of Filter is like, Client sends a request to the application and the container creates a FilterChain. FilterChain contains the Filter and Servlet that should processes the HttpServletReques based on path of RequestURI.

 One Servlet can handle a single HttpServletRequest and HttpServletResponse. More than one filter can prevent downstream Filter or the Servlet from being invoked. Filter can also modify the HttpServletRequest or HttpServletResponse used by the downstream Filter and Servlet.

 DelegatingFilterProxy 

 Spring provides a Filter implementation named DelegatingFilterProxy that allows bridging between the servlet container's lifecycle and Spring's ApplicationContext. The DelegatingFilterProxy is a servlet filter that allows passing control to Filter classes that have access to the Spring application context.

 Java Doc Says: "Proxy for a Standard Servlet Filter, delegating to a Spring-managed bean that implements the Filter interface". When using servlet filter, we obviously need to declare them as a filter class in Java-Config. Spring's DelegatingFilterProxy provides the link between java-config and application context.

 DelegatingFilterProxy is a class in Spring Web Module. It provides feature for making HTTP calls pass through filters before reaching to the actual destination. With the help of DelegatingFilterProxy, a class implementing the javax.Servlet.Filter interface can be wired into the filter chain.

 Spring Security make extensive use of DelegatingFilterProxy for securing web  API calls and resources from unauthorized access.

 FilterChainProxy

 Spring Security Servlet support is contained within FilterChainProxy. FilterChainProxy is a special Filter provided by Spring Security that allows delegating to many Filter instance through SecurityFilterChain. FilterChainProxy is a Bean, it is typically wrapped in a DelegatingFilterProxy.

 SecurityFilterChain

 SecurityFilterChain is used by FilterChainProxy to determine which Spring Security Filter should be invoked for this request. The Security Filters in SecurityFilterChain are typically Beans, but they are registered with the FilterChainProxy instead of DelegatingFilterProxy.

 Security Filter

 Security Filter are inserted into the FilterChainProxy with the SecurityFilterChain API.  Below are comprehensive list of Spring Security Filter ordering. (Spring-Security 5.3.2)
  • ChannelProcessingFilter
  • ConcurrentSessionFilter
  • WebAsyncManagerIntegrationFilter
  • SecurityContextPersistenceFilter
  • HeaderWriterFilter
  • CorsFilter
  • CsrfFilter
  • LogoutFilter
  • OAuth2AuthorizationRequestRedirectFilter
  • Saml2WebSsoAuthenticationRequestFilter
  • X509AuthenticationFilter
  • AbstractPreAuthenticatedProcessingFilter
  • CasAuthenticationFilter
  • OAuth2LoginAuthenticationFilter
  • Saml2WebSsoAuthenticationFilter
  • UsernamePasswordAuthenticationFilter
  • ConcurrentSessionFilter
  • OpenIDAuthenticationFilter
  • DefaultLoginPageGeneratingFilter
  • DefaultLogoutPageGeneratingFilter
  • DigestAuthenticationFilter
  • BearerTokenAuthenticationFilter
  • BasicAuthenticationFilter
  • RequestCacheAwareFilter
  • SecurityContextHolderAwareRequestFilter
  • JaasApiIntegrationFilter
  • RememberMeAuthenticationFilter
  • AnonymousAuthenticationFilter
  • OAuth2AuthorizationCodeGrantFilter
  • SessionManagementFilter
  • ExceptionTranslationFilter
  • FilterSecurityInterceptor
  • SwitchUserFilter

Comments

Post a Comment

Popular posts from this blog

Maven Setting Mirror

-
Maven Mirror specify from where dependencies should be downloaded. There is already repository tag is available but maven mirror used in specific condition. Let's see that. Geographically closer mirror to get dependencies You want to represent repository which have better control of dependencies Need to provide local cache to repository manager In the organisation, to avoid external traffic we can use mirror. Let's see the working of mirror. The scenario is like, we have two repository first, Maven Central and second, Custom We have declared dependencies to an  artifact. Maven will look into Custom repository. Dependencies is not found into the Custom repository.  Maven will go to central repository. Maven will notice that mirror was configured for that repository. Maven will not go to central but it will go to mirror URL. Following way we can declare, Mirror in settings.xml <settings> ... <mirrors> <mirror> <id&
Read more

Spring Session

-
Spring Session provides an API and implementation for managing a user's session information. It also support clustered sessions without being tied to an application container-specific solution. Spring session support  integration with the HttpSession, WebSocket and WebSession. HttpSession : HttpSession replace HttpSession in application container with support of providing sessionId in header to work with RESTFUL APIS . WebSocket : It keeps alive HttpSession when receiving webSocket message. WebSession : WebSession replace Spring WebFlux's WebSession in an application container neutral way. Above thing can be  achieved using Spring Session Core, Spring Session Data Redis, Spring Session JDBC, Spring Session HazelCast. Spring Session Core provides core Spring Session functionality and API. Spring Session Data Redis provides SessionRepository and ReactiveSesssionRepository implementation backed by Redis and Configuration support. Spring Session JDBC provides Sess
Read more

Hibernate Version 5.0

-
Date/Time API Hibernate supports the classes of the Date and Time API as BasicTypes. This provides the main advantage, that you don’t have to provide any additional annotations. Not even the @Temporal annotation which you currently add to each java.util.Date attribute. Hibernate 5 is the first version which supports the Java 8 Date/Time API. Developers can use Java8 Date/Time in the program and persistence will be handled well by the ORM. It means in persistence Process below thing is taken care by ORM. @ Repetable annotations It is actually used to annotate the same annotation multiple times. For example, you can define multiple named queries under  @NamedQueries  annotation. Load Object by Multiple IDS Method  byMultipleIds(),  which is part of the session class and this is used to load multiple objects at a time by providing the primary key in  multiLoad()  function. This is very useful when we know about the primary key and want to load all at a time in th
Read more