Authentication and Authorization Flow in Spring Security

Introduction

Spring Security is a framework that provides authentication, authorization, and protection against common attacks. It is the de-facto standard for securing Spring-based applications and supports securing both imperative (servlet) and reactive applications.

In this post, we are going to discuss the main actors in the Spring Security architecture that take part in the process of authentication and authorization. You need to know this aspect because you’ll have to override these pre-configured components to fit the needs of your application.

Authentication and Authorization

Let’s start with authentication and authorization. Application security boils down to two independent problems: authentication and authorization. These concepts are common in the security domain, and not specific to Spring Security.

Authentication refers to the process of verifying the identity of a principle, based on provided credentials. A “principal” generally means a user, device, or some other system that can perform an action in your application. A common example is entering a username and a password when you log in to a website. You can think of it as an answer to the question – who are you?

As part of almost any application, we need to make sure that actions can be executed only by authorized calls. Authorization refers to the process of determining if a user has proper permission to perform a particular action or read particular data, assuming that the user is successfully authenticated. You can think of it as an answer to the question –  what are you allowed to do?

Authentication Flow

The diagram below presents the authentication flow in Spring Security. This architecture is the backbone of the authentication process as implemented by Spring Security. It’s really important to understand it because you’ll rely on it in any Spring Security implementation.

In this flow, the AuthenticationFilter intercepts the request and delegates the authentication responsibility to the AuthenticationManager. To implement the authentication logic, the AuthenticationManager uses an authentication provider. To check the username and the password, the AuthenticationProvider uses a UserDetailsService and a PasswordEncoder.

The main actors used in the authentication flow:

InterfaceDescription
AuthenticationFilterA Filter that performs authentication of a particular request and delegates the authentication responsibility to the AuthenticationManager
AuthenticationManagerThe main strategy interface for authentication. AuthenticationManager can perform 3 actions: returning authentication if the user is valid, or throwing an AuthenticationException if the user is not valid, or returning null if it cannot decide
AuthenticationProviderUsed for defining any custom authentication logic
UserDetailsServiceRepresents the object used to retrieve user details by username
PasswordEncoder Stories a password that needs to be compared to a user provided password at the time of authentication
Security ContextThe primary responsibility of the SecurityContext is to store the Authentication object.  

Authorization Flow

In simpler applications, authentication might be enough. As soon as a user authenticates, she can access every part of an application. However, most applications have the concept of permissions (or roles). For example, imagine customers who have access to the public-facing front-end of your website, and administrators who have access to a separate admin area.

The diagram below presents the authorization flow in Spring Security. When the client makes the request, the authentication filter authenticates the user. After successful authentication, the authentication filter stores the user details in the security context and forwards the request to the authorization filter. The authorization filter decides whether the call is permitted. To decide whether to authorize the request, the authorization filter uses the details from the security context.

The main actors used in the authorization flow:

InterfaceDescription
AuthenticationFilterA Filter that performs authentication of a particular request and delegates the authentication responsibility to the AuthenticationManager
AuthorizationFilterThe authorization filter decides whether the call is permitted. It uses the details from the security context to decide whether to authorize the request
AuthenticationProviderUsed for defining any custom authentication logic
UserDetailsServiceRepresents the object used to retrieve user details by username
PasswordEncoder Stories a password that needs to be compared to a user provided password at the time of authentication
Security ContextThe primary responsibility of the SecurityContext is to store the Authentication object.  

References

  1. Spring Security in Action
  2. Spring Guides – Spring Security Architecture

Leave a Reply

Your email address will not be published. Required fields are marked *