Shulou(Shulou.com)06/02 Report--

This article introduces the relevant knowledge of "how to understand Spring Security architecture". Many people will encounter such a dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Spring Security architecture

This guide is an introduction to Spring Security and provides insights into the design and basic construction of the framework. We only covered the basics of application security, but doing so relieves some of the confusion encountered by developers using Spring Security. To do this, we'll take a look at how security is applied in Web applications using filters (and more often using method annotations). Use this guide when you need to understand at a high level how a secure application works, how to customize it, or just learn how to think about application security.

This guide is not a manual for solving the most basic problems (there are many other references for basic problems), but it may be useful for both beginners and experts. Spring Boot has also been mentioned many times because it provides some default behavior for secure applications, and it is helpful to understand its relationship to the overall architecture. All of these principles apply equally to applications that do not use Spring Boot.

Authentication and access Control (Authentication and Access Control)

Application security almost boils down to two separate questions: authentication (who are you) and authorization (what can you do? ). Sometimes people say "access control" rather than "authorization", which can be confusing, but it may be helpful to think in this way, because "authorization" has other meanings elsewhere. The architecture of Spring Security is designed to separate authentication from authorization and has many policies and extension points.

Identity authentication

The main policy interface for authentication is AuthenticationManager, which has only one method:

Public interface AuthenticationManager {Authentication authenticate (Authentication authentication) throws AuthenticationException;}

There are three processing scenarios in the authenticate () method of the AuthenticationManager interface:

If the authentication is successful, an Authentication object is returned (its authenticated property is usually set to true).

If authentication fails, an AuthenticationException exception is thrown.

If success or failure cannot be determined, null is returned.

AuthenticationException is a runtime exception. It is usually handled by the application in a generic manner, depending on the style or purpose of the application. In other words, you usually don't want user code to capture and process it. For example, a Web UI will render a page that states that authentication failed, while the back-end HTTP service will send a 401 response, depending on the context with the WWW-Authenticate header.

The most common implementation of AuthenticationManager is ProviderManager, which delegates a chain of AuthenticationProvider instances. AuthenticationProvider is a bit like AuthenticationManager, but it has an additional method that allows callers to query whether a given Authentication type is supported:

Public interface AuthenticationProvider {Authentication authenticate (Authentication authentication) throws AuthenticationException; boolean supports (Class authentication);}

The Class parameter in the supports () method is actually Class

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.