发表新帖
发表新帖

How Spring Security Filter Chain works

后端 未结
关注
3 1874
不要未来只要你来
不要未来只要你来 2020-11-27 08:34

I realize that Spring security build on chain of filters, which will intercept the request, detect (absence of) authentication, redirect to authentication entry point or pas

3条回答
  • 天涯浪人
    天涯浪人 (楼主)
    2020-11-27 09:14

    Spring security is a filter based framework, it plants a WALL(HttpFireWall) before your application in terms of proxy filters or spring managed beans. Your request has to pass through multiple filters to reach your API.

    Sequence of execution in Spring Security

    1. WebAsyncManagerIntegrationFilter Provides integration between the SecurityContext and Spring Web's WebAsyncManager.

    2. SecurityContextPersistenceFilter This filter will only execute once per request, Populates the SecurityContextHolder with information obtained from the configured SecurityContextRepository prior to the request and stores it back in the repository once the request has completed and clearing the context holder.
      Request is checked for existing session. If new request, SecurityContext will be created else if request has session then existing security-context will be obtained from respository.

    3. HeaderWriterFilter Filter implementation to add headers to the current response.

    4. LogoutFilter If request url is /logout(for default configuration) or if request url mathces RequestMatcher configured in LogoutConfigurer then

      • clears security context.
      • invalidates the session
      • deletes all the cookies with cookie names configured in LogoutConfigurer
      • Redirects to default logout success url / or logout success url configured or invokes logoutSuccessHandler configured.

    5. UsernamePasswordAuthenticationFilter

      • For any request url other than loginProcessingUrl this filter will not process further but filter chain just continues.
      • If requested URL is matches(must be HTTP POST) default /login or matches .loginProcessingUrl() configured in FormLoginConfigurer then UsernamePasswordAuthenticationFilter attempts authentication.
      • default login form parameters are username and password, can be overridden by usernameParameter(String), passwordParameter(String).
      • setting .loginPage() overrides defaults
      • While attempting authentication
        • an Authentication object(UsernamePasswordAuthenticationToken or any implementation of Authentication in case of your custom auth filter) is created.
        • and authenticationManager.authenticate(authToken) will be invoked
        • Note that we can configure any number of AuthenticationProvider authenticate method tries all auth providers and checks any of the auth provider supports authToken/authentication object, supporting auth provider will be used for authenticating. and returns Authentication object in case of successful authentication else throws AuthenticationException.
      • If authentication success session will be created and authenticationSuccessHandler will be invoked which redirects to the target url configured(default is /)
      • If authentication failed user becomes un-authenticated user and chain continues.

    6. SecurityContextHolderAwareRequestFilter, if you are using it to install a Spring Security aware HttpServletRequestWrapper into your servlet container

    7. AnonymousAuthenticationFilter Detects if there is no Authentication object in the SecurityContextHolder, if no authentication object found, creates Authentication object (AnonymousAuthenticationToken) with granted authority ROLE_ANONYMOUS. Here AnonymousAuthenticationToken facilitates identifying un-authenticated users subsequent requests.

    Debug logs 
    DEBUG - /app/admin/app-config at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@aeef7b36: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'

    1. ExceptionTranslationFilter, to catch any Spring Security exceptions so that either an HTTP error response can be returned or an appropriate AuthenticationEntryPoint can be launched

    2. FilterSecurityInterceptor
      There will be FilterSecurityInterceptor which comes almost last in the filter chain which gets Authentication object from SecurityContext and gets granted authorities list(roles granted) and it will make a decision whether to allow this request to reach the requested resource or not, decision is made by matching with the allowed AntMatchers configured in HttpSecurityConfiguration.

    Consider the exceptions 401-UnAuthorized and 403-Forbidden. These decisions will be done at the last in the filter chain

    • Un authenticated user trying to access public resource - Allowed
    • Un authenticated user trying to access secured resource - 401-UnAuthorized
    • Authenticated user trying to access restricted resource(restricted for his role) - 403-Forbidden

    Note: User Request flows not only in above mentioned filters, but there are others filters too not shown here.(ConcurrentSessionFilter,RequestCacheAwareFilter,SessionManagementFilter ...)
    It will be different when you use your custom auth filter instead of UsernamePasswordAuthenticationFilter.
    It will be different if you configure JWT auth filter and omit .formLogin() i.e, UsernamePasswordAuthenticationFilter it will become entirely different case.

    Just For reference. Filters in spring-web and spring-security
    Note: refer package name in pic, as there are some other filters from orm and my custom implemented filter.

    From Documentation ordering of filters is given as

    • ChannelProcessingFilter
    • ConcurrentSessionFilter
    • SecurityContextPersistenceFilter
    • LogoutFilter
    • X509AuthenticationFilter
    • AbstractPreAuthenticatedProcessingFilter
    • CasAuthenticationFilter
    • UsernamePasswordAuthenticationFilter
    • ConcurrentSessionFilter
    • OpenIDAuthenticationFilter
    • DefaultLoginPageGeneratingFilter
    • DefaultLogoutPageGeneratingFilter
    • ConcurrentSessionFilter
    • DigestAuthenticationFilter
    • BearerTokenAuthenticationFilter
    • BasicAuthenticationFilter
    • RequestCacheAwareFilter
    • SecurityContextHolderAwareRequestFilter
    • JaasApiIntegrationFilter
    • RememberMeAuthenticationFilter
    • AnonymousAuthenticationFilter
    • SessionManagementFilter
    • ExceptionTranslationFilter
    • FilterSecurityInterceptor
    • SwitchUserFilter

    You can also refer
    most common way to authenticate a modern web app?
    difference between authentication and authorization in context of Spring Security?

    0 讨论(0)
 看不清?
提交回复
热议问题