Java Reference
In-Depth Information
The different components of the Spring Security framework are the following:
• The
security interceptor
acts as the gateway that intercepts requests for resources.
It delegates security enforcement responsibilities to the core components. If a web
resource is being protected, then the Spring Security interceptor is provided in the
form of a servlet filter. Method invocation interceptors are implemented as
aspects.
• The
authentication manager
verifies a user's identity. It is a pluggable component
with a clearly defined service provider interface (SPI). So, it is possible to integrate
virtually any authentication mechanism. Spring Security comes with several con-
crete authentication manager implementations covering most common needs.
• The
access decision manager
is another pluggable component responsible for
authorization. It allows authenticated requests to access system resources based
on certain roles.
Spring Security is based on the core Spring Framework. So, it has all the benefits of
the Spring IOC container available with the security subsystem.
Authentication and Authorization with Spring Security
Spring Security's support for web application security starts with a servlet filter. The filter
intercepts incoming web requests and delegates to the authentication manager. To install
the Spring Security gateway, you will need to install the special servlet filter class
FilterToBeanProxy
in
web.xml
, as shown in Listing 6-1.
Listing 6-1.
web.xml
Fragment
<filter>
<filter-name>springSecurityFilterGateway</filter-name>
<filter-class>org.springframework.security.util.FilterToBeanProxy
</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>org.springframework.security.util.FilterChainProxy
</param-value>
</init-param>
</filter>
