A small interpretation of springsecurity working principle

2. Securitycontextpersistencefilter
4. Concurrentsessionfilter
6. Webasyncmanagerintegrationfilter
8. Headerwriterfilter
10. Csrffilter
12. Logoutfilter
14. Usernamepasswordauthenticationfilter
16. Defaultloginpagegeneratingfilter
18. Requestcacheawarefilter
20. Securitycontextholderawarerequestfilter
22. Remembermeauthenticationfilter
24. Anonymousauthenticationfilter
26. Sessionmanagementfilter
28. Exceptiontranslationfilter
30. Filtersecurityinterceptor

These are the SS entire filter set, 15, very many, in fact, web development use of the filter is not so much. The simple thing about filter action here is that"Check Request" and "Response (response)"Specific what is to be familiar with the developer, we will know when we have finished verifying!
So how does it work in the SS? Complete basic configuration work: Web. XML configuration information about the SS <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
In a Web application, when the browser initiates a request to show the content of a page is a completed request and response: 1, in the process, request is a direct access to the resource URL, not processed to return the relevant data 2, or request and response have been processed to return the relevant data
SS is the second way to go, in the request and response have been a series of processing. The best way to handle these requests and responses is to servletfilter. As for what? What's the deal? Let's see it again!
SS as a security framework, we are talking about the security of the Web section, because the SS can also be used for other clients to do security processing. Approximately one request responds to the following steps: 1: request of the browser 2: Filter blocker URL 3: Authentication Authorization 4: Access Authorization

a step-by-step explanation of these four steps 1, the browser requestThe request URL "http://www.access.com/resource/accountlist" that initiates a standard HTTP protocol; One of the above URL addresses is the standard HTTP protocol request: Protocol header, domain principal, port 80, resource location
2. Filter Blocker URL
     The filter is involved here, and it is very important to know what filter was intercepted by the URL that originated from the request.       There are 15 types of filters registered in the SS, which are listed at the beginning of the article, and these 15 filters are injected into the SS filter chain and managed by spring's IOC container.       And if our own custom filters are implemented in any of them, then the same will be injected into the SS filter chain to be maintained. All URLs pass Through these 15 filters, each filter performs different duties (e.g. authentication, authorization, access, initialization of built-in objects, etc.) to enter this filter is the premise that the requested URL address is to need to go through the SS, then how to let the URL through these filters intercept it?
in the Security.xml configuration file
The configuration is described in the form of/resource/** URL is not required to be processed by the filter, the rest will be processed by the interceptor. Here is a general description of what these interceptors do, only the web aspects to be more commonly used. 

Filter filters	Describe
Securitycontextpersistencefilter	Stores each request to the context object, which is called before authentication
Logoutfilter	System exit
Usernamepasswordauthenticationfilter	A filter that performs a system login to verify the user name password
Defaultloginpagegeneratingfilter	Generate SS to provide default landing page
Securitycontextholderawarerequestfilter	Package the servlet of the container, re-request
Anonymousauthenticationfilter	Any access to the SS is initialized with the authentication resource
Filtersecurityinterceptor	After the SS authentication to access the authentication address before the Interceptor

3. Authentication AuthorizationIt is easy to think of a URL to access a protected resource, so you can reverse the URL to be licensed and authenticated. Then the user logs in the SS successfullyAs a guideline, save the user login information to the SS as credentials, and then verify the resources to be accessed to achieve the reliability of authentication.
The default authorization method in SS is to create a system authentication object after the Securitycontextpersistencefilter filter is intercepted and passed to the Anonymousauthenticationfilter The filter is the initialization value of the authentication object data. This step is equivalent to the system already has an authenticated authorization object.        4 , Access authorization After the authentication authorization, the request takes the serious object together to the access authorization This step Accessdecisionmanager decides how to access the URL, Filterinvocationsecuritymetadatasource has The default permission resource corresponding to the URL is stored. If the requested URL is a login processing "/login"Before the decision-processing period is determined by the Usernamepasswordauthenticationfilter, the authentication filter is intercepted by the user name and password to verify the username and password in the filter. And the change of username and password token into the Authentication object AuthenticationManager Manager. AuthenticationManager then calls This.getauthenticationmanager (). Authenticate (token); It means that Authentication Manager authentication method to verify, that is, call the Userdetail method, find the permissions, and return a user object (SS comes with the user object) at the same time in the SS context will store this authenticated object, and then Accessdecisionmanager decision authentication, first will be authenticated user's permission to take out, and then the system pre-loaded URL corresponding to the permissions set loaded out of a match, if the compliance is released, and the context is already certified valid. You can obtain the authenticated user information through some JSP tags of SS.
If the requested URL is a non-login processing "/xxx"It's not like the landing process was usernamepasswordauthenticationfilter first.interception, at this time through this interceptor does not do any processing, to the access decision processor processing. The change process will load the corresponding permission set of the URL, and then the authentication resources (permissions, resources) in the pre-loaded authentication object are compared, and when the comparison is unsuccessful, the access is failed, then the access exception is thrown. These access exceptions are captured by the caller of the abstract class Abstractsecurityinterceptor the interceptor. To do an exception to the processing, the exception SS as a certification exception, then the SS system is reserved for the URL to load the login page URL, if the configuration is/xxx.jsp, then will jump to the/xxx.jsp landing page requires the user name and password to verify. Submit the form to the filter, the execution of the login process "/login" and the process of landing processing is the same.

A small interpretation of springsecurity working principle