An open API service indexing awesome lists of open source software.

https://github.com/gunjankadu/spring-security-boilerplate

Boiler Plate For Spring Security
https://github.com/gunjankadu/spring-security-boilerplate

jpa jwt jwt-authentication mysql spring-security

Last synced: 3 months ago
JSON representation

Boiler Plate For Spring Security

Awesome Lists containing this project

README

          

Spring Security

5 Core Concepts of Spring Security


  • AUTHENTICATION
  • - Who Are You ?


    Knowledge Based Authentication - Authentication depending on username and password which is a type of knowledge you have


    Possesive Authentication - OTP, Text Messages on your phone


    Multi Factor or 2 Factor Authentication - Knowledge Based + Possesive Authentication





  • AUTHORIZATION
  • - I know who you are but are you allowed to do that ?





  • PRINCIPAL
  • - The Currently Logged in user or the user with the particular account





  • AUTHORITIES/PERMISSIONS/GRANTED AUTHORITY

  • Permissions allowed for a specific users and then the user is authorized to do that action


    Ex In a retail store A Clerk can do_checkout, make_store_announcements but a Manager can do_checkout, make_store_announcements and view_financial_record


    Fine Granual Control




  • ROLES


  • Roles are a group of authorities/permissions that are assigned toghether i.e ROLE_MANAGER will have do_checkout, make_store_announcements and view_financial_record and ROLE_CLERK will have do_checkout, make_store_announcements


    It makes easier to group permission and assign them to the user to be consistent


    Coarse Grained



    How Spring Authentication Works?


    Spring Security is basically an filter which block each request coming into the application and then process on it


    Spring Security is applied on the entire application and not on a particular part/URL

    ![Authetication](Img/AuthenticationSpring.png)

    In Spring Security when the authentication is successfull the authentication return Information about the logged in user


    It Keeps Track of the both input(User credentials) and output(verified or not) using the object of Type AUTHENTICATION it is an internal spring security interface


    The Authentication objects the credentials before authentication and then the PRINCIPAL(Verified User Information) after authentication



    ![Authentication1](Img/AuthenticationSpring1.png)

    Authentication Provider Is Responsible for doing the actual Authentication it is an interface having the method authenticate.


    We need to have implementation of this interface in our application and inform Spring Security


    User Enters his username and password, Spring Security puts this into the AUTHENTICATION object it goes to the implementation of the Authentication Provider and calls the authenticate method. If the credentials are right it then return the information about the currently logged in user in the Same AUTHENTICATION object



    ![Authentication2](Img/AuthenticationSpring2.png)

    Each Application have more than 1 way to authenticate users. For ex UserName and Password based, OAuth based or LDAP based.


    Therefore there can multiple Authentication Provider in an application.


    To Coordinate Between all of these Authentication Provider there is a PROVIDERMANAGER


    ![Authentication3](Img/AuthenticationSpring3.png)

    The ProviderManager asks all the AuthenticationProvider for the authentication type they support. To Achieve this Each authentication providers has a additional method Called Support().


    This is the method which is called by Provider Manager. Therefore each authentication provider has a Supports method.


    ![Authentication4](Img/AuthenticationSpring4.png)

    For the Authentication provider to do the job the Provider needs to have access to the db where the userdetails are stored and retrieve it and verify it


    To Retrieve the UserInformation is Abstracted By Spring Security Into A class called by UserDetailsService which has a method loadUserByUserName which gives the User as an object



    The Final Authentication Picture

    ![AuthenticaionFinal](Img/AuthenticaionFinal.png)