Spring Security 0

Security

• security is for protecting your data and business logic inside your web applications, and data
• it's essential for web application(it always need, no matter what a business logic is)
• there are different types of security
  • firewalls
  • https
  • ssl
  • authentication
  • authorization
• Using Security we should also avoid most common security attacks like CSRF, Broken Authentication inside our application

Why Spring Security

• you could add Security code without update business logic
• open source framework no need money
• can handle common security vulnerabilities like CSRF, CORs
• supports various standards of security to implement authentication, like using username/password authentication, JWT tokens, OAuth2, OpenId etc.

Servlets & Filters

• spring security works on filters

1. servelt

• sclient send https request but server can't understand it
• so, servlet container like apache tomcat convert https request to java code then server can understand it
• and servelt container also convert server response message to https message

2. filter

• filter is special kinds of servelt, that we can use intercept every request, response
• so using the same filters, Spring security enforce security based on our configurations inside a web application

Spring Security Internal flow

• essential is Spring Security works by filter chain
  

1. user enter requests!
2. spring secufiry filters intercept each request work together to identify if Authentication is required or not
   • if authentication is required, accordingly navigate the user to login page or use the existing details stored during initial authentication
3. Autehntication
   • Filter like UsernamePasswordAuthenticationFilter will extract username/password for HTTP request prepare Authentication type object
4. Authentication Manager
   • Once received request from filter, it delegates the validating of the user details to the authentication providers available
   • since there can be multiple providers inside an app, it is the responsibility of the AutehnticationManager to manage all the authentication providers available.
5. AuthenticationProvider
   • AuthenticationProviders has all the core logic of validating user details for authentication
6. UserDetailsManager/UserDetailService
   • helps in retrieving, creating, updating, deleting User Details from the DB systems.
7. PasswordEncoder
   • helping encoding hashing passwords.
8. SecurityContext
   • once the request has been authenticated, the Authentication will usually be stored in a thread-local SecurityContext managed by the SecurityContextHolder.
   • this helps during the upcoming requests from the same user

The Way Spring Security handle multiple request

• once user logined(Authentication ok) then security do not request another authentication for user
• before you login web application cookie has session id
  
• after login session id change
  
• if you use same cookie, spring security think this user is authenticated user, and skip login
• if session id removed or changed you need to login again