Scribd Logo
Upload

Welcome to Scribd!

  • Architecture Deep Dive in Spring Security: Joe Grandja @joe - Grandja

    Uploaded by

    was reuy
    24 views23 pages
    Spring Security provides authentication, authorization, and exception handling. Authentication verifies users through username and password. Authorization uses roles to control access permissions. When access is denied or authentication is required, exception handlers trigger the appropriate response like starting the login process.

    Original Description:

    Original Title

    SpringIO-Barcelona2017-JoeGrandja

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Spring Security provides authentication, authorization, and exception handling. Authentication verifies users through username and password. Authorization uses roles to control access permissions. When access is denied or authentication is required, exception handlers trigger the appropriate response like starting the login process.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    24 views23 pages

    Architecture Deep Dive in Spring Security: Joe Grandja @joe - Grandja

    Uploaded by

    was reuy
    Spring Security provides authentication, authorization, and exception handling. Authentication verifies users through username and password. Authorization uses roles to control access permissions. When access is denied or authentication is required, exception handlers trigger the appropriate response like starting the login process.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 23

    Architecture Deep Dive

    in
    Spring Security

    Joe Grandja
    @joe_grandja
    github.com/jgrandja
    3 Key Areas in Security

    • Authentication

    • Authorization

    • Exception Handling

    @spring_io
    #springio17
    User Database

    Username Password Authorities

    joe@example.com password ROLE_USER

    rob@example.com password ROLE_USER

    admin@example.com password ROLE_USER, ROLE_ADMIN

    @spring_io
    #springio17
    DEMO

    @spring_io
    #springio17
    AUTHENTICATION

    AUTHORIZATION

    EXCEPTION HANDLING

    @spring_io
    #springio17
    Authentication Filter

    @spring_io
    #springio17
    Authentication
    Authentication
    Principal: joe@example.com
    Credentials: password
    Authorities: ——
    Authenticated: FALSE

    Authentication
    Principal: UserDetails
    Credentials: ——
    Authorities: ROLE_USER
    Authenticated: TRUE

    public interface Authentication extends Principal, Serializable {




    Object getPrincipal();


    Object getCredentials();


    Collection<? extends GrantedAuthority> getAuthorities();


    . . .

    }

    @spring_io
    #springio17
    UserDetails / Service
    public interface UserDetailsService {


    UserDetails loadUserByUsername(String username) 

    throws UsernameNotFoundException;


    }

    Authentication public interface UserDetails extends Serializable {



    Principal: UserDetails 

    Credentials: —— String getUsername();


    Authorities: ROLE_USER
    String getPassword();

    Authenticated: TRUE 

    Collection<? extends GrantedAuthority> getAuthorities();


    . . .

    }

    @spring_io
    #springio17
    Security Context

    public interface SecurityContext extends Serializable {




    Authentication getAuthentication();


    void setAuthentication(Authentication authentication);


    }

    SecurityContextHolder.getContext().setAuthentication(authenticated);

    @spring_io
    #springio17
    Authentication Recap

    • Authentication Filter creates an “Authentication Request" and


    passes it to the Authentication Manager

    • Authentication Manager delegates to the Authentication


    Provider

    • Authentication Provider uses a UserDetailsService to load the


    UserDetails and returns an “Authenticated Principal”

    • Authentication Filter sets the Authentication in the


    SecurityContext

    @spring_io
    #springio17
    AUTHENTICATION

    AUTHORIZATION

    EXCEPTION HANDLING

    @spring_io
    #springio17
    Filter Security Interceptor
    Authentication
    Principal: UserDetails
    Credentials: ——
    Authorities: ROLE_USER
    Authenticated: TRUE

    Request URI: /messages/inbox

    Security Metadata

    Request Pattern: /messages/**


    Config Attributes: ROLE_USER

    @spring_io
    #springio17
    Access Decision
    Authentication
    Principal: UserDetails
    Credentials: ——
    Authorities: ROLE_USER
    Authenticated: TRUE

    Security Metadata

    Request Pattern: /messages/**


    Config Attributes: ROLE_USER

    Request URI: /messages/inbox

    @spring_io
    #springio17
    Authorization Recap

    • FilterSecurityInterceptor obtains the “Security


    Metadata” by matching on the current request

    • FilterSecurityInterceptor gets the current Authentication

    • The Authentication, Security Metadata and Request is


    passed to the AccessDecisionManager

    • The AccessDecisionManager delegates to it's


    AccessDecisionVoter(s) for decisioning

    @spring_io
    #springio17
    AUTHENTICATION

    AUTHORIZATION

    EXCEPTION HANDLING

    @spring_io
    #springio17
    Access Denied
    Authentication
    Principal: UserDetails
    Credentials: ——
    Authorities: ROLE_USER
    Authenticated: TRUE

    Request URI: /admin/messages

    Security Metadata

    Request Pattern: /admin/**


    Config Attributes: ROLE_ADMIN

    @spring_io
    #springio17
    Access Denied Handler

    public interface AccessDeniedHandler {


    void handle(HttpServletRequest request, HttpServletResponse response,



    AccessDeniedException accessDeniedException) throws IOException, ServletException;


    @spring_io
    #springio17
    “Unauthenticated”
    Authentication

    Principal: anonymousUser

    Request URI: /messages/inbox

    Security Metadata

    Request Pattern: /messsages/**


    Config Attributes: ROLE_USER

    @spring_io
    #springio17
    Start Authentication

    WWW-Authenticate: Basic realm=spring

    public interface AuthenticationEntryPoint {




    void commence(HttpServletRequest request, HttpServletResponse response, 

    AuthenticationException authException) throws IOException, ServletException;


    }

    @spring_io
    #springio17
    Exception Handling Recap

    • When "Access Denied" for current Authentication, the


    ExceptionTranslationFilter delegates to the
    AccessDeniedHandler, which by default, returns a 403
    Status.

    • When current Authentication is "Anonymous", the


    ExceptionTranslationFilter delegates to the
    AuthenticationEntryPoint to start the Authentication
    process.

    @spring_io
    #springio17
    Summary

    Authentication

    Authorization

    Exception Handling

    @spring_io
    #springio17
    Spring Security Filter Chain

    @spring_io
    #springio17
    Q&A

    github.com/jgrandja/messaging-sample

    @spring_io
    #springio17

    You might also like