Spring Security has various predefined servlet filters already in place which can be used for various security checks. The working of filters while request reaches to the secured resource/item in a web application having Spring Security can be pictorially shown as in Figure 15-4 below.
Figure 15-4. Spring Security filters in action accomplishing appropriate security tasks
Table 15-1 below shows all the Spring Security filters available with the Spring Security module and what is the security related task it does for your web application security.
Table 15-1. Spring Security filters and its purpose
Filter | Description |
ChannelProcessingFilter | According to protocol requirement (HTTP or HTTPS), it redirects it accordingly. |
ConcurrentSessionFilter | Ensured user doesn’t have more than set number of sessions. |
SecurityContextPersistence
Filter |
Responsible for binding SecurityContext to the SecurityContextHolder at the beginning of a web request and any changes to it it is this filters responsibility to copy it to the web session when the request ends. |
UsernamePasswordAuthentication
Filter |
Processes an authentication form submission containing two parameters namely username and password. |
CasAuthenticationFilter | Processes a CAS processing ticket, obtains proxy granting tickets, and processes proxy tickets to do the authentication. |
BasicAuthenticationFilter | Processes a HTTP basic authorization headers and does the authentication. |
DigestAuthenticationFilter | Processes a HTTP digest authorization headers and does the authentication. |
SecurityContextHolderAware
RequestFilter |
Populates the ServletRequest with a request wrapper which implements the servlet API security methods. |
JaasApiIntegrationFilter | Attempts to obtain a JAAS Subject and continue the FilterChain running as that Subject. |
RememberMeAuthenticationFilter | Detects if there is no Authentication object in the SecurityContext, and populates the context with a remember-me authentication token. |
AnonymousAuthenticationFilter | Detects if there is no Authentication object in the SecurityContextHolder, and populates it with one if needed. |
ExceptionTranslationFilter | Translates exception raised during authentication and authorization. For example, if there is AuthenticationException, it translates and redirects the user to a login page. |
FilterSecurityInterceptor | Entrusted with the responsibility of safe-guarding the Web URL and redirecting the accessing user if they don’t have the necessary access. |
Page Visitors: 11010
The following two tabs change content below.
Tomcy John
Blogger & Author at javacodebook
He is an Enterprise Java Specialist holding a degree in Engineering (B-Tech) with over 10 years of experience in several industries. He's currently working as Principal Architect at Emirates Group IT since 2005. Prior to this he has worked with Oracle Corporation and Ernst & Young. His main specialization is on various web technologies and acts as chief mentor and Architect to facilitate incorporating Spring as Corporate Standard in the organization.
Latest posts by Tomcy John (see all)
- A Guide to Continuous Improvement for Architects - February 2, 2023
- Cloud-first Architecture Strategy - January 26, 2023
- Architecture Strategy and how to create One - January 24, 2023