Introduction of spring Security 11 filters

Source: Internet
Author: User

1.HttpSessionContextIntegrationFilter

At the top of the filter, the first filter that works.

Use one, before executing other filters, take the lead in judging whether a securitycontext has already existed in the user's session. If so, take the securitycontext out and put it in the Securitycontextholder for use by other parts of spring security. If it does not exist, create a securitycontext, or put it in Securitycontextholder, for use by other parts of spring security.

Use two, after all filters have been executed, empty the Securitycontextholder, since Securitycontextholder is based on threadlocal, if the threadlocal is emptied after the operation is complete, Is affected by the server's thread pool mechanism.

--------------------------------------------------------------------------------------------

2.LogoutFilter

Only the logout request is processed and the default is/j_spring_security_logout.

The purpose is to destroy the user session, empty the Securitycontextholder, and redirect to the Logout success page when the user sends the logout request. Can be combined with a mechanism such as rememberme to clear the user cookie while logging off.

--------------------------------------------------------------------------------------------

3.AuthenticationProcessingFilter

The filter that handles form landing, all the operations related to the form login are done here.

By default, only the/j_spring_security_check request is processed, and the request should be the submission address of the user using form login, and the other parameters required by the form can be consulted:

This filter performs the basic operation, the user name and password to determine whether the user is valid, if the login successfully jump to the success of the page (may be accessed before landing a protected page, also may be the default success page), if the login failed, jump to the failure page.

<form action= "${pagecontext.request.contextpath}/j_spring_security_check" style= "width:260px ; text-align:center; " >
<fieldset>
<legend> Login </legend>
Users: <input type= "text" name= "j_username" style= "width:150px;" value= "${sessionscope[" Spring_ Security_last_username ']} "/><br/>
Password: <input type= "password" name= "j_password" style= "width:150px;"/><br/>
<input type= "checkbox" Name= "_spring_security_remember_me"/> Two weeks without landing <br/>
<input type= "Submit" value= "Login"/>
<input type= "reset" value= "reset"/>
</fieldset>
</form>

/j_spring_security_check, submit the URL address of the login information.

When customizing the form, set the action of the form to/j_spring_security_check. Note that it is important to use absolute paths to avoid problems that may be caused by pages that are stored on the landing page.

J_username, enter the parameter name for the login name.

J_password, enter the parameter name of the password

_spring_security_remember_me, select whether to allow automatic logon of parameter names.

This parameter can be set directly to a checkbox without setting value,spring security to determine if it is selected.

--------------------------------------------------------------------------------------------

4.Defaultloginpagegeneratingfilter

This filter is used to generate a default login page, the default access address is/spring_security_login, this default login page Although support user input user name, password, also support RememberMe function, but because it is too ugly, can only be in the presentation of the appearance, Can not be used directly in the actual project.

Custom Landing Page

<intercept-url pattern= "/login.jsp" access= "is_authenticated_anonymously"/>
<intercept-url pattern= "/admin.jsp" access= "Role_admin"/>
<intercept-url pattern= "/**" access= "Role_user"/>
<form-login login-page= "/login.jsp"
authentication-failure-url= "/login.jsp?error=true"
default-target-url= "/"/>

--------------------------------------------------------------------------------------------

5.BasicProcessingFilter

This filter is used for basic validation, similar in functionality to Authenticationprocessingfilter, except that it is validated differently.

Add Basic authentication, remove auto-config= "true" and add

auto-config= "true" >
<intercept-url pattern= "/admin.jsp" access= "Role_admin"/>
<intercept-url pattern= "/" access= "Role_user"/>
---------------------------------------------------------------------------------------------

6.SecurityContextHolderAwareRequestFilter

This filter is used to package customer requests. The purpose is to provide some additional data for subsequent programs on the basis of the original request. For example, Getremoteuser () directly returns the user name of the current login.

---------------------------------------------------------------------------------------------

7.RememberMeProcessingFilter

This filter implements the RememberMe function, when there is a rememberme tag in the user cookie, the filter automatically implements the user login according to the tag and creates the SecurityContext, granting the corresponding permission.

Using auto-config= "True" in the configuration file will automatically enable RememberMe

In fact, the rememberme in Spring security is a cookie-based implementation, and when the user chooses to use RememberMe at logon, the system will generate a unique identity for the user after the login is successful and save the identity in a cookie. We can view cookies in the user's computer through a browser.

---------------------------------------------------------------------------------------------

8.AnonymousProcessingFilter

To ensure uniformity of operation, when the user does not log in, the user is assigned the permissions of the anonymous user by default.

Using auto-config= "True" in the configuration file will enable the Anonymous Logon feature. After enabling anonymous login, if we want to allow access to some resources without logging in, you can configure it as follows.

<intercept-url pattern= "/" access= "is_authenticated_anonymously"/>
<intercept-url pattern= "/admin.jsp" access= "Role_admin"/>
<intercept-url pattern= "/**" access= "Role_user"/>

It can also be set to role_anonymous.

<intercept-url pattern= "/" filters= "None"/>
<intercept-url pattern= "/admin.jsp" access= "Role_admin"/>
<intercept-url pattern= "/**" access= "Role_user"/>

Filters= "None" means that when we access "/", we will not use any filter to process the request, it can achieve the effect of accessing the resource without having to log in, but because the request is not processed with a filter, we cannot take advantage of the security filter, the simplest , then there is no one in SecurityContext to save the principal, we can not get the principal name and corresponding permission information.

---------------------------------------------------------------------------------------------

9.ExceptionTranslationFilter

The purpose of this filter is to handle the exception thrown in the Filtersecurityinterceptor, then redirect the request to the corresponding page, or return the corresponding response error code.

---------------------------------------------------------------------------------------------

10.SessionFixationProtectionFilter

Defense session forgery attack.

Fix the session problem is actually very simple, as long as the user login successful, destroy the user's current session, and regenerate a session on it.

session-fixation-protection= "None" >
<intercept-url pattern= "/admin.jsp" access= "Role_admin"/>
<intercept-url pattern= "/**" access= "Role_user"/>

There are three session-fixation-protection values available, none,migratesession and newsession. By default, Migrationsession is used.
---------------------------------------------------------------------------------------------

11.FilterSecurityInterceptor

The user's permission controls are included in this filter.

Function One: If the user has not logged in, then throws Authenticationcredentialsnotfoundexception "not authenticated exception".

Function Two: If the user is logged in, but does not have access to the current resource, the Accessdeniedexception "Deny Access Exception" is thrown.

Function Three: If the user is logged in and has permission to access the current resource, release.

Introduction of spring Security 11 filters

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.