Wednesday, August 9, 2023

How Spring Security works? What is role of DelegatingFilterProxy and springSecurityFilterChain?

Spring Security is a very straight-forward framework. It protects your application by locking URLs. It provides both authentication and authorization facility for Java web application, but the big question is how does it do that? How exactly Spring Security works internally? I have seen this Spring Security question coming up several times on recent Spring interviews, so I thought to summarize what I know about working of Spring Security. The most important thing to remember is that Spring security works by using servlet filters. Since, an HTTP request is first passed to a matching filter before passing it to servlet, you can use a filter intercept an HTTP request and that's what Spring security does it. 

In this article, I'll explain you how spring security works internally. Btw, this is the second such post on Spring framework. Earlier, I have explained how Spring MVC works internally, if you haven't read it already, you may find it useful as well. Anyway, let's start now. 

Internally it maintain a chain of filters for doing authentication and authorization. It has filters for providing different features and they are arranged in a predefined order e.g. it has got a ConcurrentSessionFilter to prevent concurrent sessions from same user. 

But, again the big question is how does Servlet container pass HTTP request to Spring Security for authentication and authorization? This is achieved by declaring a special filter called DelegatingFilterProxy, this provided the link between web.xml and Spring's application context. 

In order to enable Spring security in your Java web application, you need to declare this DelegatingFilterProxy filter in your web.xml, just like any other filter but you must specify the name as springSecurityFilterChain. The name is very important because the DelegatingFilterProxy which implements FilterChain interface delegates request to filter named "springSecurityFilterChain".

This is the starting point of Spring Security and provide linkage between Servlet container and Spring framework. In Spring Security, the filter classes e.g. which provides authentication, authorization, and other security features are also Spring beans, which are defined in the application context and hence they can take advantage of Spring's rich dependency-injection facilities and lifecycle interfaces.

How request is processed in Spring Security? DelegatingFilterProxy




How request is processed in Spring Security?

When an HTTP request hit the web-server it is handed over to DelegatingFilterProxy because its generally configured to intercept all request by specifying wild card (*) in its url-pattern. The DelegatingFilterProxy then pass this request to all the filters which are part of springSecurityFilterChain

Depending upon your Spring security configuration, corresponding filters are instantiated and configured by Spring security at the start of application. For example, if you enable HTTP basic security by calling http.httpBasic() method (if you are using Java configuration> or by specifying <http> tag if you are using XML based Spring security configuration. 

The request is then processed by filters in the chain in a pre-defined order such that authentication occurs before authorization. If request made it to all filters then it is handed over to corresponding Servlet e.g. DispatcherServlet of Spring framework for further processing. 

How many filters a particular request will go through depends upon your Spring security configuration. If you enable more functionalities, more filters will be employed. You can even create your own custom filters and attach it into Spring security filter chain at some pre-defined position e.g. before filter X or after filter X. 

How Spring Security works internally?



That's all about how Spring security framework works internally. It's important for a Java and Spring developer to understand how exactly spring security framework works so that they can debug the flow if there is a problem e.g. authentication and authorization is not working as expected. 

A good knowledge of spring security architecture and work-flow is also required for customizing spring security for your needs, for example if you want to develop your custom filter then you must know where to add that into spring security filter chain. 

I'll talk more about inbuilt filters in spring security in coming articles, but if you can't wait, I suggest you to go through Eugen Paraschiv's Learn Spring security MasterClass. He has also updated his master class for Spring security 5, which makes it most up-to-date course on Spring security at this moment.

Other Spring Articles you may like

Thanks for reading this article, If you like this spring security interview question and my my explanation of how Spring Security works then please share them with your friends and colleagues. If you have any questions or feedback then please drop a comment.

P. S. - If you are new to the Spring SEcurity and looking for a comprehensive course to learn the Spring Security then I also suggest you to checkout this list of best Spring Security online courses. It contains the most up-to-date course to learn Spring Security, Oauth2.0, and JWT in depth. 

No comments:

Post a Comment