Security provides more than 20 filters, each of which provides specific functionality. The default order of these filter in the Spring Security filter filter chain is determined by the
Org.springframework.security.config.http.SecurityFilters enumeration type definitions. With the filter mechanism, Spring security implements
Security-related work such as certification and authorization. The user can insert, replace, or remove a known filter with their own spring Security filte filter chain through a configuration file.
This enables secure processing to meet your specific application needs.
When auto-config= "true", 11 filters are used by default, and they have a certain order of use, such as.
The 11 filters for the default configuration are described below:
1.HttpSessionContextIntegrationFilter
At the top of the filter, the first filter that works.
Use one, before executing other filters, take the lead in judging whether a securitycontext has already existed in the user's session.
If so, take the securitycontext out and put it in the Securitycontextholder for use by other parts of spring security.
If it does not exist, create a securitycontext, or put it in Securitycontextholder, for use by other parts of spring security.
Use two, after all filters have been executed, empty the Securitycontextholder, because Securitycontextholder is based on threadlocal,
If the threadlocal is emptied after the operation is complete, it is affected by the thread pool mechanism of the server.
2.LogoutFilter
Only the logout request is processed and the default is/j_spring_security_logout.
The purpose is to destroy the user session, empty the Securitycontextholder, and redirect to the Logout success page when the user sends the logout request.
Can be combined with a mechanism such as rememberme to clear the user cookie while logging off.
3.AuthenticationProcessingFilter
The filter that handles form landing, all the operations related to the form login are done here.
By default, only the/j_spring_security_check request is processed, and the request should be the submission address of the user using form login, and the other parameters required by the form can be consulted:
The basic operation of this filter, the user name and password to determine whether the user is valid, if the login successfully jump to the success of the page (may be accessed before landing a protected page,
may also be the default success page), if the login fails, jump to the failed page.
<formAction= "${pagecontext.request.contextpath}/j_spring_security_check"style= "Width:260px;text-align:center;"> <fieldset> <legend>Landing</legend>User:<inputtype= "text"name= "J_username"style= "width:150px;"value= "${sessionscope[' Spring_security_last_username '}"/><BR/>Password:<inputtype= "Password"name= "J_password"style= "width:150px;" /><BR/> <inputtype= "checkbox"name= "_spring_security_remember_me" />No landing within two weeks<BR/> <inputtype= "Submit"value= "Login"/> <inputtype= "Reset"value= "Reset"/> </fieldset></form>
/j_spring_security_check, submit the URL address of the login information.
When customizing the form, set the action of the form to/j_spring_security_check. Note that it is important to use absolute paths to avoid problems that may be caused by pages that are stored on the landing page.
J_username, enter the parameter name for the login name.
J_password, enter the parameter name of the password
_spring_security_remember_me, select whether to allow automatic logon of parameter names.
This parameter can be set directly to a checkbox without setting value,spring security to determine if it is selected.
4.DefaultLoginPageGeneratingFilter
This filter is used to generate a default login page, the default access address is/spring_security_login, this default login page Although support user input user name, password,
The RememberMe feature is also supported, but because it is too ugly, it can only be done in a presentation, not directly in the actual project.
Custom Landing Page
<httpAuto-config= ' true '> <Intercept-urlpattern= "/login.jsp"Access= "is_authenticated_anonymously" /> <Intercept-urlpattern= "/admin.jsp"Access= "Role_admin" /> <Intercept-urlpattern="/**"Access= "Role_user" /> <Form-loginLogin-page= "/login.jsp"Authentication-failure-url= "/login.jsp?error=true"Default-target-url="/" /></http>
5.BasicProcessingFilter
This filter is used for basic validation, similar in functionality to Authenticationprocessingfilter, except that it is validated differently.
Add Basic authentication, remove auto-config= "true" and add <intercept-url pattern= "/admin.jsp" access= "Role_admin"/>
<intercept-url pattern= "/" access= "Role_user"/>
6.SecurityContextHolderAwareRequestFilter
This filter is used to package customer requests. The purpose is to provide some additional data for subsequent programs on the basis of the original request.
For example, Getremoteuser () directly returns the user name of the current login.
7.RememberMeProcessingFilter
This filter implements the RememberMe function, and when there is a rememberme tag in the user cookie, the filter automatically implements the user login according to the tag.
and create SecurityContext to grant the corresponding permissions.
Using auto-config= "True" in the configuration file will automatically enable RememberMe
In fact, the rememberme in Spring security is a cookie-based implementation, and when the user chooses to use RememberMe at logon, the system will generate a unique identity for the user after the login is successful.
and save the logo in a cookie, we can view the cookie on the user's computer through a browser.
8.AnonymousProcessingFilter
To ensure uniformity of operation, when the user does not log in, the user is assigned the permissions of the anonymous user by default.
Using auto-config= "True" in the configuration file will enable the Anonymous Logon feature. After enabling anonymous login, if we want to allow access to some resources without logging in, you can configure it as follows.
<httpAuto-config= ' true '> <Intercept-urlpattern="/"Access= "is_authenticated_anonymously" /> <Intercept-urlpattern= "/admin.jsp"Access= "Role_admin" /> <Intercept-urlpattern="/**"Access= "Role_user" /></http>
It can also be set to role_anonymous.
<httpAuto-config= ' true '> <Intercept-urlpattern="/"Filters= "None" /> <Intercept-urlpattern= "/admin.jsp"Access= "Role_admin" /> <Intercept-urlpattern="/**"Access= "Role_user" /></http>
Filters= "None" means that when we access "/", we will not use any filter to process the request, it can realize the effect of accessing the resource without logging in.
However, because the request is not processed using a filter, it is not possible to take advantage of the benefits of the security filter, the simplest of which is securitycontext
No more permission principal is saved, and we cannot get the principal name and the corresponding permission information from it.
9.ExceptionTranslationFilter
The purpose of this filter is to handle the exception thrown in the Filtersecurityinterceptor, then redirect the request to the corresponding page, or return the corresponding response error code.
10.SessionFixationProtectionFilter
Defense session forgery attack.
Fix the session problem is actually very simple, as long as the user login successful, destroy the user's current session, and regenerate a session on it.
<httpAuto-config= ' true 'session-fixation-protection= "None"> <Intercept-urlpattern= "/admin.jsp"Access= "Role_admin" /> <Intercept-urlpattern="/**"Access= "Role_user" /></http>
There are three session-fixation-protection values available, none,migratesession and newsession. By default, Migrationsession is used.
11.FilterSecurityInterceptor
The user's permission controls are included in this filter.
Function One: If the user has not logged in, then throws Authenticationcredentialsnotfoundexception "not authenticated exception".
Function Two: If the user is logged in, but does not have access to the current resource, the Accessdeniedexception "Deny Access Exception" is thrown.
Function Three: If the user is logged in and has permission to access the current resource, release.
Note: The data originates from the network.
Springsecurity 3.2 Getting Started (6) A brief introduction to the 11 filters used by default