java - How exactly works this Spring Security example? -

-

i pretty new in spring security , have doubt related configuration found tutorial.

this spring-security.xml file used spring security configuration project:

<?xml version="1.0" encoding="utf-8"?> <beans xmlns="http://www.springframework.org/schema/beans"     xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"     xmlns:security="http://www.springframework.org/schema/security"     xsi:schemalocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">      <security:http>         <security:intercept-url pattern="/springlogin" access="permitall"/>         <security:intercept-url pattern="/dospringlogin" access="permitall"/>         <security:intercept-url pattern="/myprofile" access="hasrole('role_user')"/>         <security:intercept-url pattern="/springhome" access="hasrole('role_user')"/>          <security:intercept-url pattern="/products" access="hasrole('role_user')"/>          <security:intercept-url pattern="/springlogout" access="permitall"/>         <security:intercept-url pattern="/springlogin?error=true" access="permitall"/>         <security:form-login login-page="/springlogin" login-processing-url="/dospringlogin"         default-target-url="/springhome" authentication-failure-url="/springlogin?error=true"         username-parameter="username" password-parameter="password"         />         <security:csrf disabled="true"/>         <security:logout logout-url="/springlogout" logout-success-url="/springlogin"/>     </security:http>      <bean id="userdetailsserviceimpl" class="com.demo.security.userdetailsserviceimpl"></bean>      <bean id="authenticationprovider" class="org.springframework.security.authentication.dao.daoauthenticationprovider">         <property name="userdetailsservice" ref="userdetailsserviceimpl"></property>     </bean>      <bean id="authenticationmanager" class="org.springframework.security.authentication.providermanager">         <constructor-arg name="providers">             <list>                 <ref bean="authenticationprovider"/>             </list>         </constructor-arg>     </bean>      <security:authentication-manager>         <security:authentication-provider user-service-ref="userdetailsserviceimpl">             <security:password-encoder hash="plaintext"></security:password-encoder>         </security:authentication-provider>     </security:authentication-manager>  </beans>

i divided section. first 1 tag content.

it contains as:

<security:intercept-url pattern="/springlogin" access="permitall"/>

that think means page related /springlogin resource accessible while

<security:intercept-url pattern="/myprofile" access="hasrole('role_user')"/>

means resource related /myprofile resource accessible logged user (the principal) having role_user role setted.

is reasoning correct?

then in previous configuration file there is:

1) declaration of authenticationmanager bean:

<bean id="authenticationmanager" class="org.springframework.security.authentication.providermanager">     <constructor-arg name="providers">         <list>             <ref bean="authenticationprovider"/>         </list>     </constructor-arg> </bean>

that think used spring populate securitycontext principal objects (for example user of web application) , authorities (what specific principal can do).

is reasoning correct?

this object take constructor arg list of autentication provider bean have provide principal informations (so example role associated specific principal)

in case provided implementation of daoauthenticationprovider class take bean having name="userdetailsservice" property, one:

<bean id="userdetailsserviceimpl" class="com.demo.security.userdetailsserviceimpl"></bean>

that instance of userdetailsserviceimpl class, one:

public class userdetailsserviceimpl implements userdetailsservice {      @override     public userdetails loaduserbyusername(string username)             throws usernamenotfoundexception {         system.out.println(username);         user user = registerydao.getuserdao().getuserbyusername(username);          if(user == null){             return null;         }          list<grantedauthority> authorities = new arraylist<grantedauthority>();         authorities.add(new simplegrantedauthority(user.getrole()));          userdetails userdetails = new org.springframework.security.core.userdetails.                 user(user.getusername(), user.getpassword(), true, true, true, true, authorities);           return userdetails;     }  }

so happen?

using debugger seems me when te user try access specific page loaduserbyusername() return userdetails object related logged user contain list representing roles associated specific logged user (for example previous role_user)

then think spring automatically use 

<security:intercept-url pattern="/myprofile" access="hasrole('role_user')"/>

to check if user have setted propper role previous list list.

if have forward request controller method handle http request otherwise avoid httprequest come controller method , show page user can't access resource.

here explanation of of concepts , questions asking about.

authenticationmanager

authenticationmanager component responsible processing authentication request. authentication request might instance of usernamepasswordauthenticationtoken username/password logins.

for other implementations @ authentication javadoc.

authenticationmanager has collection of authenticationprovider implementations. these components capable of processing specific authentication types , authenticationmanager iterates through them attempting find 1 capable of handling authentication passed it. if finds one, calls authentication object presented , returns populated authentication object if successful (otherwise authenticationexception thrown).

authenticationprovider

as mentioned above, authenticationprovider processes type of authentication request. instance daoauthenticationprovider perform following steps when called authenticationmanager:

  • take usernamepasswordauthenticationtoken passed it
  • use userdetailsservice service implementation provided (in case userdetailserviceimpl) user username
  • check password provided in authentication token against user using passwordencoder , saltsource, if specified.
  • if authentication succeeds, returns populated authentication object (usernamepasswordauthenticationtoken in case), contains principal, credentials , marked authenticated
  • in case authentication fails, authenticationexception thrown

daoauthenticationprovider using capable of processing usernamepasswordauthenticationtoken requests. typically form logins, , on. can see types of authentications provider support looking @ supports() method implementation, in case of daoauthenticationprovider looks this:

public boolean supports(class<?> authentication) {     return (usernamepasswordauthenticationtoken.class.isassignablefrom(authentication)); }

spring security filter chain

now let's @ security filter chain, defined spring security documentation:

the order filters defined in chain important. irrespective of filters using, order should follows:

  1. channelprocessingfilter, because might need redirect different protocol

  2. securitycontextpersistencefilter, securitycontext can set in securitycontextholder @ beginning of web request, , changes securitycontext can copied httpsession when web request ends (ready use next web request)

  3. concurrentsessionfilter, because uses securitycontextholder functionality needs update sessionregistry reflect ongoing requests principal

  4. authentication processing mechanisms - usernamepasswordauthenticationfilter, casauthenticationfilter, basicauthenticationfilter etc - securitycontextholder can modified contain valid authentication request token

  5. the securitycontextholderawarerequestfilter, if using install spring security aware httpservletrequestwrapper servlet container

  6. remembermeauthenticationfilter, if no earlier authentication processing mechanism updated securitycontextholder, , request presents cookie enables remember-me services take place, suitable remembered authentication object put there

  7. anonymousauthenticationfilter, if no earlier authentication processing mechanism updated securitycontextholder, anonymous authentication object put there

  8. exceptiontranslationfilter, catch spring security exceptions either http error response can returned or appropriate authenticationentrypoint can launched

  9. filtersecurityinterceptor, protect web uris , raise exceptions when access denied

when user submits login form, authenticationmanager called @ step 4 in filter chain. in case of form login handled usernamepasswordauthenticationfilter calls authenticationmanager process authentication:

public authentication attemptauthentication(httpservletrequest request,         httpservletresponse response) throws authenticationexception {     // ...     return this.getauthenticationmanager().authenticate(authrequest); }

using debugger seems me when te user try access specific page loaduserbyusername() return userdetails

actually loaduserbyusername() called when user authenticates, instance after submitting login form. if user authenticated not called.

i think means page related /springlogin resource accessible everyone:

<security:intercept-url pattern="/springlogin" access="permitall" />

then think spring automatically use following check if user has proper role:

<security:intercept-url pattern="/myprofile" access="hasrole('role_user')" />

correct. process handled filtersecurityinterceptor, extends abstractsecurityinterceptor - core spring security component dealing authorization. if user not authenticated or doesn't have required role exception thrown , handled exceptiontranslationfilter. filter handles security exceptions. instance in case of authentication failure redirect user authentication entry point, e.g. login page.

internal architecture of spring security pretty nicely described in reference documentation. recommend take @ it.


Comments

Post a Comment

Popular posts from this blog

How to show in django cms breadcrumbs full path? -

-
need advice - how show in breadcrumbs whole path article or page? i've got code: {% ance in ancestors %} <li> {% if not forloop.last %} <a href="{{ ance.get_absolute_url }}">{{ ance.get_menu_title }}</a> {% else %} <span class="active">{{ ance.get_menu_title }}</span> {% endif %} </li> {% endfor %} but shows "home" , current page. how modify show whole path in breadcrumbs? i've found in file menu_tags.py code calls ancestors. @ least there class showbreadcrumbs: class showbreadcrumb(inclusiontag): """ shows breadcrumb node has same url current request - start level: after level should breadcrumb start? 0=home - template: template used render breadcrumb """ name = 'show_breadcrumb' template = 'menu/dummy.html' options = options( argument('start_level', default=0, require...
Read more

php - Invalid Cofiguration - yii\base\InvalidConfigException - Yii2 -

-
Image
i've installed yii2-user module/dektrium yii2-app-basic application command composer require "dektrium/yii2-user:0.9.*@dev" config/console.php return [ . . 'modules' => [ 'gii' => 'yii\gii\module', 'user' => [ 'class' => 'dektrium\user\module', ], ], . . ] config/web.php 'components' => [ . . /* 'user' => [ 'identityclass' => 'app\models\user', 'enableautologin' => true, ], */ 'modules' => [ 'user' => [ 'class' => 'dektrium\user\module', ], ], . . ] after that, run command $ php yii migrate/up --migrationpath=@vendor/dektrium/yii2-user/migrations updating database schema . but, when run http://localhost/mylawsuit/yii/web/index.php?r=u...
Read more

ruby on rails - npm error: tunneling socket could not be established, cause=connect ETIMEDOUT -

-
i have app uses rails framework , implements angularjs part of front end. i have pushed heroku , have heroku toolbelt installed, when try migrate db using "heroku run rake db:migrate" receive following error(s): installing core plugins heroku-cli-addons, heroku-apps, heroku-fork, heroku-git, heroku-local, heroku-run, heroku-status... error installing package. try running again gode_debug=info see more output. ! `run` not heroku command. ! perhaps meant `-h`, `2fa`, `auth`, `join`, `open`, `orgs`, `pg`, `ps` or `rake`. ! see `heroku help` list of available commands. i run command "gode_debug=info heroku run rake db:migrate" , receive error: npm err! darwin 14.5.0 npm err! argv "/users/christopher_pelnar/.heroku/node-v4.2.1-darwin-x64/bin/node" "/users/christopher_pelnar/.heroku/node-v4.2.1-darwin-x64/lib/node_modules/npm/cli.js" "install" "heroku-cli-addons" "heroku-apps" "heroku-fork...
Read more