Spring security is a secure framework that provides declarative, secure access control solutions for spring-based enterprise applications. It provides a set of beans that can be configured in the context of the spring application, taking full advantage of the spring Ioc,di (control inversion inversion of controls, di:dependency injection Dependency injection) and AOP (aspect-oriented programming) capabilities provide declarative, secure access control for application systems, reducing the effort to write large amounts of repetitive code for enterprise system security controls. [1]
1. Core Module
The authentication authentication represents the authentication principal that the token of the authentication request or AuthenticationManager authenticate method handles. Once the authentication is requested, Securitycontextholder saves the authentication to SecurityContext. Let's take a look at the inheritance relationship of authentication:
Userdetails
Context Package:
The authentication is stored in the SecurityContext. Securitycontextholder links a specific securitycontext with the current execution thread. This class provides some column static methods to proxy Securitycontexthoderstrategy instances. This class is designed to use a convenient method to specify the policy for the specified JVM. There are three kinds of strategies: Mode_global, Mode_threadlocal, mode_inheritablethreadlocal. Corresponding: Globalsecuritycontextholderstrategy, Threadlocalsecuritycontextholderstrategy, Inheritablethreadlocalsecuritycontextholderstrategy.
There are two ways to set these policies. First set in System Properties, and the second is to invoke the Setstrategename setting before use. If none of the above methods are used, mode_threadlocal,mode_threadlocal is backwards compatible by default.
Grantedauthority
2.authentication Module
AuthenticationManager Tracking:
Learn about authentication's processing abstract interface Authenticationprovider, its integrated hierarchy of relationships
3. Authorization Module
Decision Manager Voter
Summary:
Spring Security's support for Web security relies heavily on servlet filters. These filters intercept incoming requests and do some security processing before the application processes the request. Spring Security provides a number of filters that can intercept servlet requests and pass them on to authentication and Access Decision manager processing for enhanced security. Depending on your needs, you can use several of the filters listed in table 7.4 to protect your application. If you have used a servlet filter, then you know you want them to take effect, you must configure them with the <filter> and <filter-mapping> elements in your Web application's. xml file. While this can work, it does not apply to configurations that use dependency injection. Filtertobeanproxy is a special servlet filter that does not do much of its own work, but instead delegates its work to a bean in the context of the spring application. The commissioned Bean implements the Javax.servlet.Filter interface almost like other servlet filters, but it is configured in the spring configuration file instead of the Web. xml file. In fact, the bean that the Filtertobeanproxy agent gives can be an arbitrary implementation of the javax.servlet.Filter. This can be any of the Spring security filters, or it can be a filter created by itself. But as already mentioned in this book, Spring security requires a minimum of four and possibly a dozen or more filters to be configured. [2]
Reference documents:
[1]HTTP://BAIKE.BAIDU.COM/LINK?URL=HPT7PSOWPCOZJWXE75_H0WF8N2IXKPDAJGNQRDFSPKODLYHNEE1LPARIWZTSGV2-AYP3STHUXWESB2SCWC0SKK
Spring security Source Analysis Core Package