https://github.com/gunjankadu/spring-security-boilerplate
Boiler Plate For Spring Security
https://github.com/gunjankadu/spring-security-boilerplate
jpa jwt jwt-authentication mysql spring-security
Last synced: 3 months ago
JSON representation
Boiler Plate For Spring Security
- Host: GitHub
- URL: https://github.com/gunjankadu/spring-security-boilerplate
- Owner: GunjanKadu
- Created: 2020-05-21T20:17:07.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2020-05-29T15:48:46.000Z (about 6 years ago)
- Last Synced: 2025-02-23T23:28:10.794Z (over 1 year ago)
- Topics: jpa, jwt, jwt-authentication, mysql, spring-security
- Language: Java
- Size: 1.89 MB
- Stars: 1
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
Spring Security
5 Core Concepts of Spring Security
AUTHENTICATION - Who Are You ?
Knowledge Based Authentication - Authentication depending on username and password which is a type of knowledge you have
Possesive Authentication - OTP, Text Messages on your phone
Multi Factor or 2 Factor Authentication - Knowledge Based + Possesive Authentication
AUTHORIZATION - I know who you are but are you allowed to do that ?
PRINCIPAL - The Currently Logged in user or the user with the particular account
AUTHORITIES/PERMISSIONS/GRANTED AUTHORITY
Permissions allowed for a specific users and then the user is authorized to do that action
Ex In a retail store A Clerk can do_checkout, make_store_announcements but a Manager can do_checkout, make_store_announcements and view_financial_record
Fine Granual Control
ROLES
Roles are a group of authorities/permissions that are assigned toghether i.e ROLE_MANAGER will have do_checkout, make_store_announcements and view_financial_record and ROLE_CLERK will have do_checkout, make_store_announcements
It makes easier to group permission and assign them to the user to be consistent
Coarse Grained
How Spring Authentication Works?
Spring Security is basically an filter which block each request coming into the application and then process on it
Spring Security is applied on the entire application and not on a particular part/URL

In Spring Security when the authentication is successfull the authentication return Information about the logged in user
It Keeps Track of the both input(User credentials) and output(verified or not) using the object of Type AUTHENTICATION it is an internal spring security interface
The Authentication objects the credentials before authentication and then the PRINCIPAL(Verified User Information) after authentication

Authentication Provider Is Responsible for doing the actual Authentication it is an interface having the method authenticate.
We need to have implementation of this interface in our application and inform Spring Security
User Enters his username and password, Spring Security puts this into the AUTHENTICATION object it goes to the implementation of the Authentication Provider and calls the authenticate method. If the credentials are right it then return the information about the currently logged in user in the Same AUTHENTICATION object

Each Application have more than 1 way to authenticate users. For ex UserName and Password based, OAuth based or LDAP based.
Therefore there can multiple Authentication Provider in an application.
To Coordinate Between all of these Authentication Provider there is a PROVIDERMANAGER

The ProviderManager asks all the AuthenticationProvider for the authentication type they support. To Achieve this Each authentication providers has a additional method Called Support().
This is the method which is called by Provider Manager. Therefore each authentication provider has a Supports method.

For the Authentication provider to do the job the Provider needs to have access to the db where the userdetails are stored and retrieve it and verify it
To Retrieve the UserInformation is Abstracted By Spring Security Into A class called by UserDetailsService which has a method loadUserByUserName which gives the User as an object
The Final Authentication Picture
