Spring security

Spring security is based on URL pattern, each URL pattern has an associated chain of interceptors that handles various aspect of security


Eg.  <security:http pattern="/_ui/**" security="none" />     no security control


<security:http disable-url-rewriting="true" pattern="/checkout/**" use-expressions="true">
    <security:anonymous username="anonymous" granted-authority="ROLE_ANONYMOUS" />
    <security:access-denied-handler error-page="/login"/>
    <security:session-management session-authentication-strategy-ref="fixation" />
    .....
</security:http>        requires security control


Security:anonymous :

Still assign a user name and role for urls that does not require security control. Managed by AnonymousAuthenticationFilter and AnonymousAuthenticationProvider. An AnonymousAuthenticationToken is added into SecurityContextHolder. An AnonymousAuthenticationFilter is associated with an AnonymousAuthenticationProvider by a key/value pair.

AuthenticationTrustResolver used by the auth exception handler to distinguish between anonymous user, remember me user and normal user. The exception handler redirects to authentication entry point for anonymous user. Also used by authentication voter


Security:access-denied-handler:

Return to an error page if access is denied, usually redirects to login page


Security:intercept-url
Performs security control  based on role or allowed channel (http, https etc)


Security:session-management

SessionManagementFilter checks whether user has been authenticated by retrieving SecurityContextHolder from SecurityContextRepository. If a valid SecurityContextHolder exists, it invokes SessionAuthenticationStrategy. Otherwise, it invokes InvalidSessionStrategy, which usually just performs redirection (SimpleRedirectInvalidSessionStrategy)


Fixation protection: SessionFixationProtectionStrategy, create a new session and copy all attributes, this prevents session hijacking.


ConcurrentSessionControlAuthenticationStrategy: check number of sessions created by user, throw exception or invalidate existing session on exceed


Security:form-login
Login-processing-url:   (default /j_spring_security_check) specifies the url pattern of the filter that handles authentication request. Handled by UsernamePasswordAuthenticationFilter and delegates to authenticationManager to perform actual authentication. See CoreAuthenticationProvider and CoreUserDetailService for basic authentication logic. See AcceleratorAuthenticationProvider  which adds additional check on brutal force attack and shopping cart ownership

login-page:  the login page

authentication-failure-handler-ref:  handles authentication failure. See LoginAuthenticationFailureHandler: This performs redirect

authentication-success-handler-ref:  See GUIDAuthenticationSuccessHandler:  set the cookie, reset brutal force attack counter and handles cart creation. By default, spring security performs redirection on previously remembered resource url if any. See SavedRequestAwareAuthenticationSuccessHandler


Security:request-cache
Used to remember previously accessed url  before login page shows, see also SavedRequestAwareAuthenticationSuccessHandler

你可能感兴趣的:(spring,Security)