Spring Security Flashcards
Illustrate the architecture of a servlet container
- Web server (hardware)
- Servlet container (Tomcat)
- Threads
- Filter chain
- Filters
- Servlet
- Servlet container (Tomcat)
What is a servlet container and what is it used for?
A servlet container is software used to manage threads, filters, and the servlet
What is a servlet and what is it used for?
A servlet is a component of a servlet container used to handle HTTP requests and responses
What is DelegatingFilterProxy
and what is it used for?
DelegatingFilterProxy
is a Spring Security class that implements a servlet filter and it is used to bridge the servlet container to Spring’s ApplicationContext
so that beans can be used. DelegatingFilterProxy
delegates to a single bean called FilterChainProxy
which further delegates to SecurityFilterChain
beans composed of many filter beans
What is the entry point to Spring Security?
FilterChainProxy
What are the main responsibilities of FilterChainProxy
?
- To determine which
SecurityFilterChain
bean should be used for an HTTP Request - Apply Spring Security’s
HttpFirewall
When is a user considered authenticated?
Whenever an Authentication
object is added to the SecurityContext
What are the 3 main methods of Authentication
and what do they return?
-
getPrincipal
=>Object
(e.g.UserDetails
) -
getCredentials
=>Object
(e.g password) -
getAuthorities
=>Collection<? extends GrantedAuthority>
What are the 2 roles of Authentication
?
- To serve as the input to the
AuthenticationManager
- To represent the currently authenticated user inside the
SecurityContext
What is the purpose of GrantedAuthority
?
To provide a representation of an authority that has been granted to a user. GrantedAuthority
only has 1 method: String getAuthority()
What is the purpose of AuthenticationManager
?
To process an Authentication
request. It does so by delegating to ProviderManager
What is the purpose of ProviderManager
?
To implement AuthenticationManager
. ProviderManager
iterates through a list of AuthenticationProviders
until it finds one that can process the Authentication
object
Give some examples of AuthenticationProvider
DaoAuthenticationProvider
JwtAuthenticationProvider
What is the purpose of SecurityContextHolder
?
To associate the SecurityContext
with the current thread of executuion (can be accessible anywhere within the same thread)
What is the role of AuthorizationManager
?
To read the collection of GrantedAuthority
s of the currently authenticated user and determine if he/she has the proper authority to access a resource.