Spring Security

, ,

Note: Small discussion on the spring security filter chain.

Spring Security is the most used framework to secure spring-based applications. It integrates authentication and authorization in your spring-based application to access resources. Unlike authentication and authorization, Spring security protects from common attacks like CSRF, session-management issues, etc.

Web application security is the most prominent part of any web application platform whether it’s a small or big platform like Facebook, Twitter, a banking site, a stock-exchange platform, etc. If your data is compromised, data means your pictures, signature, banking details, etc., your identity can also be stolen. So, security must be the utmost priority. OWASP is the standard platform to let you know about web-app-based security.

Flow of HTTP Request:

  • Clients like web apps, mobile apps, etc send HTTP requests to backend server apps (Spring-Boot) to acquire resources like fetching pictures or logging into the banking app.
  • After receiving the HTTP request, Spring-Boot forwards the request to the dispatcher servlet and the Dispatcher servlet further forwards it to the controller as per the URI. An application can have multiple controllers like a user profile, payment, search query, etc. It’s a Dispatcher servlet job to determine which controller handles the request.

In between, another component comes into the picture and we call it a filter. Internally whether called Spring-Boot or Spring framework, it’s built on servlet. Filters are also called servlet filters. Every HTTP request goes to Spring-boot (server) whichever the resource wants to acquire, first, they have to deal with filters. In the context of Spring security, it’s called spring security filter chain.

Spring Security HTTP request flow:

  • The client sends HTTP requests to the backend server app to acquire resources like fetching pictures or logging into the app and it’s handled by the Dispatcher servlet. Now the request passes through the Spring Security filter chain.
  • The Dispatcher servlet passed the request to the SecurityContextPersistenceFilter, the first critical filter in the filter chain. Using this filter, we get an object of type Security Context. The SecurityContext object holds information about authenticated users. SecurityContext is an interface which itself has a different story to tell.
  • The next two filters are HeaderWriterFilter which adds multiple headers X-Frame-Options, X-Content-Type-Options, Cache-Control etc. CsrfFilter is used to check the CSRF token. These are some web-based mitigations to prevent common attacks.
  • Now the request passes to the Authentication filter. The filter name itself suggests that it is used to authenticate the user. Use the below code, to get information:

    Authentication auth = SecurityContextHolder.getContext().getAuthentication();

    If the user is already authenticated, we get an authentication object with information such as username (principal), password, authorities, etc. If the user is not authenticated then we use the AuthenticationManager to authenticate the user and set the auth object in the security context. 

Add the following to the application.properties (config) file, run your application and hit the following URL http://localhost:8080/home

 logging.level.org.springframework.security.web.FilterChainProxy=DEBUG 
/home at position 1 of 15 in additional filter chain; firing Filter:
                                     'WebAsyncManagerIntegrationFilter'
/home at position 2 of 15 in additional filter chain; firing Filter:
                                     'SecurityContextPersistenceFilter'
/home at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
                                                   
/home at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'                                                         

/home at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
                                                         
/home at position 6 of 15 in additional filter chain; firing Filter:
                                 'UsernamePasswordAuthenticationFilter'
/home at position 7 of 15 in additional filter chain; firing Filter:
                                     'DefaultLoginPageGeneratingFilter'
/home at position 8 of 15 in additional filter chain; firing Filter:
                                    'DefaultLogoutPageGeneratingFilter'
/home at position 9 of 15 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
                                            
/home at position 10 of 15 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
                                              
/home at position 11 of 15 in additional filter chain; firing Filter:
                              'SecurityContextHolderAwareRequestFilter'

/home at position 12 of 15 in additional filter chain; firing Filter:
                                        'AnonymousAuthenticationFilter'
/home at position 13 of 15 in additional filter chain; firing Filter: 'SessionManagementFilter'
                                              
/home at position 14 of 15 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
                                           
/home at position 15 of 15 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'

These filters are automatically configured by Spring security and executed on each incoming Request.

Note: Part-2 on AuthenticationManager.

Leave a Reply

Your email address will not be published. Required fields are marked *