Spring Security Reference
6. Security Namespace Configuration
6.3. Advanced Web Features
Standard Filter Aliases and Ordering
| Alias | Filter Class | Namespace Element or Attribute |
|---|---|---|
| CHANNEL_FILTER | ChannelProcessingFilter | http/intercept-url@requires-channel |
| SECURITY_CONTEXT_FILTER | SecurityContextPersistenceFilter | http |
| CONCURRENT_SESSION_FILTER | ConcurrentSessionFilter | session-management/concurrency-control |
| HEADERS_FILTER | HeaderWriterFilter | http/headers |
| CSRF_FILTER | CsrfFilter | http/csrf |
| LOGOUT_FILTER | LogoutFilter | http/logout |
| X509_FILTER | X509AuthenticationFilter | http/x509 |
| PRE_AUTH_FILTER | AbstractPreAuthenticatedProcessingFilter Subclasses | N/A |
| CAS_FILTER | CasAuthenticationFilter | N/A |
| FORM_LOGIN_FILTER | UsernamePasswordAuthenticationFilter | http/form-login |
| BASIC_AUTH_FILTER | BasicAuthenticationFilter | http/http-basic |
| SERVLET_API_SUPPORT_FILTER | SecurityContextHolderAwareRequestFilter | http/@servlet-api-provision |
| JAAS_API_SUPPORT_FILTER | JaasApiIntegrationFilter | http/@jaas-api-provision |
| REMEMBER_ME_FILTER | RememberMeAuthenticationFilter | http/remember-me |
| ANONYMOUS_FILTER | AnonymousAuthenticationFilter | http/anonymous |
| SESSION_MANAGEMENT_FILTER | SessionManagementFilter | session-management |
| EXCEPTION_TRANSLATION_FILTER | ExceptionTranslationFilter | http |
| FILTER_SECURITY_INTERCEPTOR | FilterSecurityInterceptor | http |
| SWITCH_USER_FILTER | SwitchUserFilter | N/A |
9. Technical Overview
9.3 Authentication
9.3.1 What is authentication in Spring Security?
The username and password are obtained and combined into an instance of
UsernamePasswordAuthenticationToken(an instance of theAuthenticationinterface, which we saw earlier).The token is passed to an instance of
AuthenticationManagerfor validation.The
AuthenticationManagerreturns a fully populatedAuthenticationinstance on successful authentication.The security context is established by calling
SecurityContextHolder.getContext().setAuthentication(…), passing in the returned authentication object.
AuthenticationExample
13. The Security Filter Chain
13.3 Filter Ordering
ChannelProcessingFilter, because it might need to redirect to a different protocolSecurityContextPersistenceFilter, so aSecurityContextcan be set up in theSecurityContextHolderat the beginning of a web request, and any changes to theSecurityContextcan be copied to theHttpSessionwhen the web request ends (ready for use with the next web request)ConcurrentSessionFilter, because it uses theSecurityContextHolderfunctionality and needs to update theSessionRegistryto reflect ongoing requests from the principalAuthentication processing mechanisms -
UsernamePasswordAuthenticationFilter,CasAuthenticationFilter,BasicAuthenticationFilteretc - so that theSecurityContextHoldercan be modified to contain a validAuthenticationrequest tokenThe
SecurityContextHolderAwareRequestFilter, if you are using it to install a Spring Security awareHttpServletRequestWrapperinto your servlet containerThe
JaasApiIntegrationFilter, if aJaasAuthenticationTokenis in theSecurityContextHolderthis will process theFilterChainas theSubjectin theJaasAuthenticationTokenRememberMeAuthenticationFilter, so that if no earlier authentication processing mechanism updated theSecurityContextHolder, and the request presents a cookie that enables remember-me services to take place, a suitable rememberedAuthenticationobject will be put thereAnonymousAuthenticationFilter, so that if no earlier authentication processing mechanism updated theSecurityContextHolder, an anonymousAuthenticationobject will be put thereExceptionTranslationFilter, to catch any Spring Security exceptions so that either an HTTP error response can be returned or an appropriateAuthenticationEntryPointcan be launchedFilterSecurityInterceptor, to protect web URIs and raise exceptions when access is denied
26. Expression-Based Access Control
26.1 Overview
26.1.1 Common Built-In Expressions
| Expression | Description |
|---|---|
| hasRole([role]) | Returns true if the current principal has the specified role. By default if the supplied role does not start with 'ROLE_' it will be added. This can be customized by modifying the defaultRolePrefix on DefaultWebSecurityExpressionHandler. |
| hasAnyRole([role1,role2]) | Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings). By default if the supplied role does not start with 'ROLE_' it will be added. This can be customized by modifying the defaultRolePrefix on DefaultWebSecurityExpressionHandler. |
| hasAuthority([authority]) | Returns true if the current principal has the specified authority. |
| hasAnyAuthority([authority1,authority2]) | Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings) |
| principal | Allows direct access to the principal object representing the current user |
| authentication | Allows direct access to the current Authentication object obtained from the SecurityContext |
| permitAll | Always evaluates to true |
| denyAll | Always evaluates to false |
| isAnonymous() | Returns true if the current principal is an anonymous user |
| isRememberMe() | Returns true if the current principal is a remember-me user |
| isAuthenticated() | Returns true if the user is not anonymous |
| isFullyAuthenticated() | Returns true if the user is not an anonymous or a remember-me user |
| hasPermission(Object target, Object permission) | Returns true if the user has access to the provided target for the given permission. For example, hasPermission(domainObject, 'read') |
| hasPermission(Object targetId, String targetType, Object permission) | Returns true if the user has access to the provided target for the given permission. For example, hasPermission(1, 'com.example.domain.Message', 'read') |