Coding Warehouse

This post does not written for the purpose of delivering precise information. 

I 'm try to picture the Spring Security's Authorization Flow.
So, some metaphor might not fit in the original usage. 
Just enjoy a short story of Authorization in Spring Security.

KimCoding was a newbie at the 'FANCY' fitness center. He had heard a lot about the center and wanted to make sure he got the most out of his membership. He walked in, and the Security Filter Chain greeted him. It was the first line of defense against any unauthorized access to the fitness center.

As KimCoding went through the Authorization Filter, he was asked to provide his Credentials, including his name, date of birth, and address. He was also asked to provide his Collection of GrantedAuthority, which included his membership level and access rights to the fitness center's facilities.

After completing the authentication process, KimCoding was granted access to the fitness center. The Security Context was updated with his information, and the SecurityContextHolder kept track of his authentication status throughout his visit.

While KimCoding was working out, he noticed the AuthorizationManager, who was monitoring access to different areas of the fitness center. The RequestMatcherDelegatingAuthorizationManager was also there, ensuring that KimCoding only had access to areas that matched his granted authority.

As he was finishing up his workout, KimCoding accidentally wandered into a restricted area. He was immediately stopped by the AccessDeniedException, which was there to ensure that only authorized members could access certain areas.

KimCoding quickly apologized and was redirected to an open area where he could continue his workout. As he left the fitness center, he realized just how important the security measures were in ensuring the safety and privacy of all members.

That's a story about "KimCoding visit a fancy fitness center" LOL.
All the important character are described here again.

• KimCoding: A fitness center member, actually just a request
• Security Filter Chain: A series of security filters that protect the fitness center's resources.
• AuthorizationFilter: A security filter that controls access to the specific area
• Authentication : A process that verifies KimCoding's identity and authorization.
• Security Context: A secure storage for the user's authentication and authorization information.
• AuthorizationManager: A manager that decides whether a user is authorized to access a resource.
• RequestMatcherDelegatingAuthorizationManager: A specific implementation of AuthorizationManager that matches requests with a set of rules to determine authorization.
• AccessDeniedException: An exception that is thrown when a user is denied access to a resource.
• RequestMatcher: An interface that matches requests to a set of rules to determine authorization.

This is real Spring Security’s Authorization Flow

I just want you to grap the whole idea about Authorization in this Post.

This post does not written for the purpose of delivering precise information. 

I write some important components in Spring Security with a little information though,
I'd like to focus more to grap the whole idea about Spring Security

If you are curious about the following contents and want more details..

2023.03.16 - [Spring security] - #2. Understanding about Authentication component of Spring Security

Imagine, We are in a restaurant and you want to place an order. This request is similar to a client making a request to a Spring Security application. The restaurant has a security system in place to ensure that only authorized personnel can access certain areas and handle sensitive information such as payment details. Similarly, Spring Security has a set of components that work together to handle authentication and access control.

The first security component in the restaurant is the UsernamePasswordAuthenticationFilter, which is like the hostess at the front of the restaurant who greets you and takes your order. This filter is responsible for intercepting the client's request and extracting the username and password from the login form. It then creates a UsernamePasswordAuthenticationToken to encapsulate this information.

Next, the AbstractAuthenticationProcessingFilter, which is like the server who takes your order and sends it to the kitchen. This filter is responsible for processing the authentication request and forwarding it to the AuthenticationManager. It also checks if the request is a valid authentication request.

The AuthenticationManager is like the chef in the kitchen who prepares the food according to your order. This manager delegates the authentication request to one of the AuthenticationProviders based on the type of token. Each AuthenticationProvider is like a specialized chef who is responsible for preparing a particular type of dish. Similarly, each AuthenticationProvider is responsible for authenticating a specific type of token.

The AuthenticationProvider is like a recipe book that provides the instructions on how to cook a particular dish. In the same way, the AuthenticationProvider has a set of rules and logic to authenticate a particular type of token. To authenticate the user, the AuthenticationProvider needs access to the user's credentials and other details. These details are provided by the UserDetailsService, which is like the inventory of ingredients that the chef needs to cook a particular dish.

Finally, once the user is authenticated, the Authentication object is created, which is like the dish that is ready to be served to the customer. This Authentication object contains information about the authenticated user, such as the username and authorities. The SecurityContext and SecurityContextHolder are like the table where the dish is served and the waiter who brings the dish to your table, respectively. The SecurityContext holds the Authentication object and other security-related information, and the SecurityContextHolder provides a way to access the SecurityContext.

So, in summary, Spring Security is like a restaurant where each component plays a specific role in ensuring the security of the application. Just like how a restaurant ensures that only authorized personnel can access sensitive information and handle payment details, Spring Security provides a set of components that work together to handle authentication and access control.

Hey there! In this post we're going to dive into the Authentication component and explore some of the keywords that we came across in our previous post. So if you're curious and want to know more about how these components work, then you're in the right place!

Let's get started!

1. UsernamePasswordAuthenticationFilter

• Typically processes authentication through a submission
• UsernamePasswordAuthenticationFilter generates a UsernamePasswordAuthenticationToken to check the username and passord
• This class inherits from "AbstractAuthenticationProcessingFilter"
• It does not contain the "doFilter()" method. (sorry :)

2. AbstractAuthenticationProcessingFilter

• AbstractAuthenticationProcessingFilter actually contain "doFilter()"
• It serves as a superclass of UsernamePasswordAuthenticationFilter
• It handles authentication requests based on HTTP
• It  delegates the actual authentication attempt to its subclasses (#1)

3. UsernamePasswordAuthenticationToken

• It is a token necessary for performing authentication with username/password in Spring Security.
• It contains the authenticated user's information after successful authentication
• Then the Authentication object stored in the SecurityContext as an Authentication object.
• It is an extension class that inherits AbstractAuthenticationToken abstract class

4. Authentication

• An interface in Spring Security that represents the authentication itself
• It is partly implemented by UsernamePasswordAuthenticationToken(#3)
• If a created token is returned or stored in the SecurityContext, it is returned or stored in the form of Authentication
• A class implementing the Authentication interface has the following 3 infromation.
• 1. Principal
  • A unique information that identifies the user
  • In general, in username/password-based authentication, the username becomes the Principal, and in other authentication methods, UserDetails becomes the Principal
• 2. Credential
  • Credentials refer to the password required for user authentication.
  • ProviderManager deletes this password after authentication is completed
• 3. Authorities
  • The list of user's access privileges granted by AuthenticationProvider.

5. AuthenticationManager

• AuthenticationManager is an interface that manages the overall authentication process.
• Filters for authentication maintain a loose coupling with AuthenticationManager.
• Actual management for authentication is done through implementation classes.

6. ProviderManager

• A class which implement AuthenticationManager.
• It manages AuthenticationProviders and delegates authentication processing to them.

7. AuthenticationProvider

• A component that is delegated authentication processing from the AuthenticationManager.
• Handle the UserDetails received from the UserDetailsService to perform authentication.
• The actual authentication process starts from the authenticate() method of the AbstractUserDetailsAuthenticationProvider abstract class

8. UserDetails

• This interface includes a user's username, password as a credential, and authorization information of a user stored in a database or other storage.
• AuthenticationProvider uses UserDetails to perform authentication.

9. UserDetailsService

• A core interface for loading (loading) UserDetails.
• Spring Security can load the user's information from memory or a database, as long as it returns it as UserDetails that Spring Security can understand.

10. SecurityContext and SecurityContextHolder

• SecurityContext is a component that stores the authenticated Authentication object, and the SecurityContextHolder manages the SecurityContext
• SecurityContext includes the authenticated Authentication object, and SecurityContextHolder includes SecurityContext again, as shown in the picture
• we can set the Authentication to SecurityContext through SecurityContextHolder and also access the authenticated Authentication object through SecurityContextHolder.