Introducing Spring Security
In a nutshell, Spring Security uses filters to perform authentication and request-level authorization and uses AOP to fulfill method-level authorization. The following figure shows the components that a request will go through in a web application that is guarded by Spring Security:
Figure 10.4: Spring Security in an application
As you can see, when a request arrives at the server, it will go through a Spring Security Filter Chain, which is delegated through org.springframework.web.filter.DelegatingFilterProxy
. This filter chain is usually created as a Spring bean named springSecurityFilterChain
, which contains a list of filter beans created by Spring Security. Through these filters, Spring performs a series of actions to decide how a request should be handled. Once a request passes all the filters, it arrives at the Controller that is registered, through request mapping, to handle the request. Most of the time, controllers will call APIs of services to either execute...