Understanding Spring Security filters

In any security implementation, we use filters to ensure that requests are authenticated and authorized before being executed.

Spring Security uses a chain of filters to check for authentication and authorization before a request is authorized for execution.

Before Spring Boot, in order to enable Spring Security on a web project, we configured a filter chain in web.xml. With Spring Boot, this filter chain is auto-configured. We do not need to manually do it.

The configuration is as follows:

<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

The following diagram shows how the Spring Security Filter Chain sits before all requests:

The Spring Security Filter Chain checks the authentication and authorization on every request. If a request does not have proper credentials or authorization, the request would be rejected, and an error would be thrown.

Here are some of the important filters that are executed in the filter chain:

  • UsernamePasswordAuthenticationFilter: Performs authentication using the user credentials. Executed if the request is POST, and has user credentials.
  • BasicAuthenticationFilter: Performs basic authentication. Executed if there is a basic authentication request header in the request.
  • AnonymousAuthenticationFilter: If there are no authentication credentials in the request, this would create an anonymous user. Typically, anonymous users are allowed to execute requests for public API—an API that does not require authentication.
  • ExceptionTranslationFilter: It does not provide additional security. It translates authentication exceptions to a suitable HTTP response.
  • FilterSecurityInterceptor: Responsible for authorization decisions.

Here are some of the filters that provide auxiliary Spring Security features:

  • HeaderWriterFilter: Writes security headers to the response—X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options
  • CsrfFilter: Checks for Cross-Site Request Forgery (CSRF) protection.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset