Developer(s) | 4 |
---|---|
Stable release | 5.2.1
/ November 4, 2019[1]
|
Written in | Java |
Operating system | Cross-platform |
Type | web application framework security |
License | Apache License 2.0 |
Website |
projects |
Spring Security is a Java/ Java EE framework that provides authentication, authorization and other security features for enterprise applications. The project was started in late 2003 as 'Acegi Security' (pronounced Ah-see-gee /ɑːsiːdʒiː/, whose letters are the first, third, fifth, seventh, and ninth characters from the English alphabet, in order to prevent name conflicts [2]) by Ben Alex, with it being publicly released under the Apache License in March 2004. Subsequently, Acegi was incorporated into the Spring portfolio as Spring Security, an official Spring sub-project. The first public release under the new name was Spring Security 2.0.0 in April 2008, with commercial support and training available from SpringSource.
Diagram 1 shows the basic flow of an authentication request using the Spring Security system. It shows the different filters and how they interact from the initial browser request, to either a successful authentication or an HTTP 403 error.
Browser submits "authentication credentials" | |
"Authentication mechanism" collects the details | |
An "authentication request" object is built | |
Authentication request sent to an AuthenticationManager | |
AuthenticationManager (this is responsible for passing requests through a chain of AuthenticationProviders) | |
"Authentication provider" will ask a UserDetailsService to provide a UserDetails object
| |
The resultant UserDetails object (which also contains the GrantedAuthority[]s ) will be used to build the fully populated Authentication object.
| |
If "Authentication mechanism" receives back the fully populated Authentication object, it will deem the request valid, put the Authentication into the SecurityContextHolder ; and cause the original request to be retried.If, on the other hand, the AuthenticationProvider rejected the request, the authentication mechanism will ask the user agent to retry.
| |
AbstractSecurityInterceptor authorizes the regenerated request and throws Java exceptions. (Asks AccessDecisionManager for decision.)
| |
ExceptionTranslationFilter translates the exceptions thrown by AbstractSecurityInterceptor into HTTP related error codes
| |
Error code 403 – if the principal has been authenticated and therefore simply lacks sufficient access Launch an AuthenticationEntryPoint – if the principal has not been authenticated which is an authentication mechanism
|
Developer(s) | 4 |
---|---|
Stable release | 5.2.1
/ November 4, 2019[1]
|
Written in | Java |
Operating system | Cross-platform |
Type | web application framework security |
License | Apache License 2.0 |
Website |
projects |
Spring Security is a Java/ Java EE framework that provides authentication, authorization and other security features for enterprise applications. The project was started in late 2003 as 'Acegi Security' (pronounced Ah-see-gee /ɑːsiːdʒiː/, whose letters are the first, third, fifth, seventh, and ninth characters from the English alphabet, in order to prevent name conflicts [2]) by Ben Alex, with it being publicly released under the Apache License in March 2004. Subsequently, Acegi was incorporated into the Spring portfolio as Spring Security, an official Spring sub-project. The first public release under the new name was Spring Security 2.0.0 in April 2008, with commercial support and training available from SpringSource.
Diagram 1 shows the basic flow of an authentication request using the Spring Security system. It shows the different filters and how they interact from the initial browser request, to either a successful authentication or an HTTP 403 error.
Browser submits "authentication credentials" | |
"Authentication mechanism" collects the details | |
An "authentication request" object is built | |
Authentication request sent to an AuthenticationManager | |
AuthenticationManager (this is responsible for passing requests through a chain of AuthenticationProviders) | |
"Authentication provider" will ask a UserDetailsService to provide a UserDetails object
| |
The resultant UserDetails object (which also contains the GrantedAuthority[]s ) will be used to build the fully populated Authentication object.
| |
If "Authentication mechanism" receives back the fully populated Authentication object, it will deem the request valid, put the Authentication into the SecurityContextHolder ; and cause the original request to be retried.If, on the other hand, the AuthenticationProvider rejected the request, the authentication mechanism will ask the user agent to retry.
| |
AbstractSecurityInterceptor authorizes the regenerated request and throws Java exceptions. (Asks AccessDecisionManager for decision.)
| |
ExceptionTranslationFilter translates the exceptions thrown by AbstractSecurityInterceptor into HTTP related error codes
| |
Error code 403 – if the principal has been authenticated and therefore simply lacks sufficient access Launch an AuthenticationEntryPoint – if the principal has not been authenticated which is an authentication mechanism
|