spring-security – Page 22

How Spring Security Filter Chain works

October 18, 2022 by Tarik

The Spring security filter chain is a very complex and flexible engine. Key filters in the chain are (in the order) SecurityContextPersistenceFilter (restores Authentication from JSESSIONID) UsernamePasswordAuthenticationFilter (performs authentication) ExceptionTranslationFilter (catch security exceptions from FilterSecurityInterceptor) FilterSecurityInterceptor (may throw authentication and authorization exceptions) Looking at the current stable release 4.2.1 documentation, section 13.3 Filter Ordering you … Read more

What is the meaning and difference between subject, user and principal?

October 16, 2022 by Tarik

These are hierarchical in the way that genus, species and individual are hierarchical. Subject – In a security context, a subject is any entity that requests access to an object. These are generic terms used to denote the thing requesting access and the thing the request is made against. When you log onto an application … Read more

RESTful Authentication via Spring

October 4, 2022 by Tarik

We managed to get this working exactly as described in the OP, and hopefully someone else can make use of the solution. Here’s what we did: Set up the security context like so: <security:http realm=”Protected API” use-expressions=”true” auto-config=”false” create-session=”stateless” entry-point-ref=”CustomAuthenticationEntryPoint”> <security:custom-filter ref=”authenticationTokenProcessingFilter” position=”FORM_LOGIN_FILTER” /> <security:intercept-url pattern=”/authenticate” access=”permitAll”/> <security:intercept-url pattern=”/**” access=”isAuthenticated()” /> </security:http> <bean id=”CustomAuthenticationEntryPoint” class=”com.demo.api.support.spring.CustomAuthenticationEntryPoint” … Read more

When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?

September 30, 2022 by Tarik

If you are using Spring 3, the easiest way is: @RequestMapping(method = RequestMethod.GET) public ModelAndView showResults(final HttpServletRequest request, Principal principal) { final String currentUser = principal.getName(); }

Difference between Role and GrantedAuthority in Spring Security

September 29, 2022 by Tarik

Think of a GrantedAuthority as being a “permission” or a “right”. Those “permissions” are (normally) expressed as strings (with the getAuthority() method). Those strings let you identify the permissions and let your voters decide if they grant access to something. You can grant different GrantedAuthoritys (permissions) to users by putting them into the security context. … Read more