[SOLVED] Some problem related to security and caching

  1. Can someone guide me on Spring security internal architectural flow as well as restful web services in basic authentication service like LDAP, OUTH?
  2. I have some problems with the second-level cache(hibernate). Can anyone put some light on it?
1 Like

Well first you should know that exists a spring security filter chain (describe later on here).
When the context is loaded the Authentication Manager populates the Security Context, and this context has all the information about the security policies to use, and how to use them.

When a request is received the flow is:

  1. The security interceptor capture it to protect secured resources
  2. Asks the Access Decision Manager what to do
  3. Then this manager checks if the access should be granted or not (based on a voters principle (based on rules))
  4. if so the filter calls the proceed method
  5. if not a security exception is thrown

The spring security filter chain is:

  1. SecurityContextPersistenceFilter
  • if has session access is granted and request goes on
  • if not it goes to 2)
  1. Logout filter (do nothing if is not a logout request and proceed)

  2. UsernameAndPasswordAuthenticationFilter

  • extracts the username and the password from request params and passes it to the authenticationManager.authenticate(username, password)
  1. The AuthenticationManager performs the authentication based on it policy (ex: Basic, Digest, RSA) - If authenticated add information to response headers about session id to be remembered by SecurityContextPersistenceFilter as session
  • If not a spring security exception is thrown
  1. Proceed to ExceptionTranslationFilter if no exception thrown so far do nothing, on the request side does nothing, only performs when responding, the request is then passed to FilterSecurityInterceptor if the resource has no attributes does nothing (base configs)

  2. Finally it accesses the secured resource and returns with the exact inverted order

I recomend you to open and check this classes one by one, break points in it, debug them, look ate the stack calls. This way you will understand the security flow.
Plus I encourage you to refer to the documentation if any doubt persists.

I suggest that you read the Spring Security Manual(especially Chapters 5 and 7 which give a good overview of how it all fits together), and come back if you have more specific questions. (And ask them one at a time …)

Hope I this helps you or someone else. Cheers

4 Likes

Thanks for trying to resolve out .Yaa I tried documentation instead of that your solution is precise and crispy meance to the point.I appreciate that.You are right in the sense have to debug all the code to know the internal. Can you provide any java debugging resource’s with specific to eclipse or intellij idea ide, I shall be obliged if time permits you. Nevertheless I am using spring boot.Everything handled by the framework only but for curiosity point of view I shoot my gun. Once again thanks for your solution after a long time you tried to jolt it down… @TheJoker
Have a nice day !!!

2 Likes