SpringSecurity Core Components

SpringSecurity Core Components

SecurityContextHolder, SecurityContext, and Authentication

SecurityContextHolder is the most basic component of SpringSecurity. It is used to store SecurityContext objects. It is implemented by ThreadLocal by default. This ensures that all methods in the thread can obtain the SecurityContext object.

SecurityContextHolder has two other modes: SecurityContextHolder. MODE_GLOBAL and SecurityContextHolder. MODE_INHERITABLETHREADLOCAL: the former indicates that the SecurityContextHolder object is global and can be accessed by all threads in the application. The latter is used in scenarios where the thread has a parent-child relationship, the thread wants its sub-thread to have the same security as its own.

In most cases, we do not need to modify the default configuration. ThreadLocal is the most commonly used and most suitable for most applications.

Obtain authentication Subject Information

We can use the following code snippet to obtain the authentication subject information.

Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();if (principal instanceof UserDetails) {  String username = ((UserDetails)principal).getUsername();} else {  String username = principal.toString();}

The first line of code returns an instance of the UserDetails type, which contains information such as username, password, and permission. Of course, we can also customize our own UserDetails instance by implementing this interface, use it for our own applications to conform to the required business logic.

UserDetailsService

As mentioned above, we can customize the UserDetails instance. How can we obtain this instance? We need to implement it through UserDetailsService. This interface has only one method.

UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;

This method accepts a username parameter and returns the UserDetails instance.

After successful Authentication, the UserDetails object is used to build the Authentication object and store it in SecurityContextHolder. Therefore, all the user information we need can be obtained through SecurityContextHolder.

GrantedAuthority

The Authentication object also provides the getAuthorities method to obtain the permissions granted to the user. The permissions usually correspond to the role and the Access Permissions corresponding to the role. For example, ADMIN_ROLE can access the content under/admin, other roles have no access permission.

The GrantedAuthority object is also usually obtained by the UserDetailsService instance.

Summary

We mentioned the following objects:

SecurityContextHolder: provides access to SecurityContext
SecurityContext: holds the Authentication object and other information that may be required.
Authentication: Authentication subject in Spring Security Mode
GrantedAuthority: authorization at the application layer of the authentication topic
UserDetails: required information for building the Authentication object, which can be customized. You may need to access the database to obtain
UserDetailsService: Construct a UserDetails object using username