Spring Security Internal Flow And Architecture#
Spring Security Internal Flow And Architecture#
- How spring security framework works internally, once it receives any request from the FE or any third party app consumers? See the image below.
-
So in the
step 1, when someone calls app through browser or any app consumer with the credentials, a filter (authentication filter), which is present in the spring security framework, will be intercepting the request. -
Then it will try to convert whatever authentication details that we are receiving from the user like username and password into an
authentication object. This authentication object is a base where all the validation of user credentials will validated. Once that ID object is built, the request will be passed to theauthentication manager. -
Authentication manageris the place where it will identify what is correspondentauthentication providerthat the request has to go. In this basic authentication example, we have not have many processes where we can validate user credentials or we may use database to validate user credentials or we may use LDAP or OAuth. So there can be many possible providers that your system has. -
In simple words, we can say that
Authentication managerwill identify what is the most appropriateauthentication providerthat the request has to be sent. -
Authentication provider, this is a place where all your business logic will be implemented. The logic related to your security like how do you validate username and password? There can be scenarios where you may receive email as a user. So based upon all such scenarios, you will implement all your logic of security validation inside yourauthentication provider. -
Authentication providerwill provide 2 interfaces. One isuser details servicesand other one ispassword encoder. Theuser detail servicesis the interface which holds user schema and thepassword encoderwhich will tell you how all passwords have to be encrypted, encoded and decrypted while evaluating the security. -
Once
authentication providerusinguser detail servicesandpassword encodersvalidator with the input credentials are valid or not, the flow will be given back to the authentication manager followed by theauthentication filter. -
Now the authentication object, which we initially sent from the
authentication filterwill hold, whether the user is a valid authenticated user, what are the authorities or what are the roles associated with the user inside the authentication object. -
Once the
authentication filterpass thatauthentication objecttosecurity contextthen all details will bestored inside the container. -
Security contextis the place where we save the data of the user once the users authenticated themself. It save details like whether the user is valid or might not be a valid user. -
All such details will be stored inside the
security contextand given back to the browser or any consumer from second time onwards. If they are trying to pass the same security information, all the flow fromstep 1tostep 8will not be executed because we already tried to validate the person using that credentials. -
So, Spring Security will tell you, OK, using this token or these credentials whatever I am receiving from second time onwards, I will directly show you whether this is the valid token or not.
-
This is how it works internally in spring security framework. No matter how complex your Spring Security project is. The basic and internal flow of Spring security will remain the same as given in the image diagram above.
-
If you want to take a simple example. So let's visit Spring Security Basic.
-
For those who visited Spring Security Basic before. So do you remember that there is a
generated token(Session) which is put in a cookie?. So in that case, the application used the security context interface to save thesessioninto thespring container. So for the second time onwards, by using thissessionin thecookie. It will directly show you whether this is the valid token or not quickly and doesn't need you to provide username/password.