This article mainly introduces several core components in spring security and how they cooperate with each other.
Environment:
spring boot version: 1.5.4.RELEASE
1. SecurityContextHolder of core components
SecurityContextHolder is the most basic component in spring security. It is used to store the security context of our application and contains the details of the current system authentication user. By default SecurityContextHolder uses a ThreadLocal to store these details, which means that as long as the method is executed in the authentication thread, we can access it whether we pass in the security context or not.
If using ThreadLocal cannot fully meet the needs of our system, the following two ways can be used to set the storage mode of SecurityContextHolder
- By setting the properties of the system variable spring.security.strategy
- Directly call the setStrategyName method of SecurityContextHolder, which is a static method
Spring security currently provides us with the following three storage methods
- MODE_THREADLOCAL default storage method, using ThreadLocal storage
- MODE_INHERITABLETHREADLOCAL indicates that threads derived from safe threads also share the security context with safe threads
- MODE_GLOBAL shares the same security context in the entire java virtual machine, such as the use of swing desktop applications
2. Authentication object of the core component
We store the authentication user information of the current system in the SecurityContextHolder, and use Authentication to represent this authentication information within spring security. Usually we don't need to create the Authentication object ourselves, but we often need to get this object to get some details of the authenticator (username, etc.). Anywhere in our application code, we can use the following code snippet to get this information
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
if (principal instanceof UserDetails) {
String username = ((UserDetails)principal).getUsername(); } else {
String username = principal.toString();
}
The method SecurityContextHolder.getContext returns SecurityContext, which is our security context information. As mentioned earlier, this information is stored in ThreadLocal by default. In spring security, the authentication information represented by most authentication mechanisms is a specific instance
of UserDetails. 3. UserDetailsService of the core component
From the previous code snippet for obtaining authentication information, we can see that the authentication subject obtained from Authentication is a object, and in most cases this object can be converted to a UserDetails object. UserDetails is an important interface, we can imagine it as an adapter to adapt the user object in our own database to the object stored in the SecurityContextHolder by spring security. Sometimes we also cast the UserDetails object into the original object provided in our system to obtain our business-specific user information (email, phone, etc.).
UserDetailsService is the component used to create UserDetails. This is an interface with only one method in it
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
This is the most commonly used place in spring security to get user information.
When user authentication is successful, UserDetails will be used to build an Authentication object and store it in SecurityContextHolder. In spring security, many default implementations of UserDetailsService have been provided for us, such as InMemoryDaoImpl that uses memory to store user information and JDBC storage JdbcDaoImpl, we can also customize our authentication user information by implementing the UserDetailsService interface, and whether it is provided by spring or our custom implementation, we can get this authentication information from SecurityContextHolder. 4. In addition to obtaining the authentication subject,
the GrantedAuthority of the core component also has an important method getAuthorities() in Authentication. This method will put back a GrantedAuthority array. A GrantedAuthority is an authority assigned to the authentication subject. Usually, this authority uses a
Role representatives, such as ROLE_USER, ROLE_ADMIN. These permissions will be parsed during the authentication phase of spring security to determine whether the user has access to restricted resources. Authorization information is usually obtained by the implementation class of UserDetailsService.
Generally, GrantedAuthority objects are application-level authorizations, and do not refer to a specific business object. So you can't create a GrantedAuthority to replace the Employee object with Id 54. If you use it like this, you will have hundreds or thousands of GrantedAuthorities to replace different business objects, and the system memory will be exhausted very quickly.
5. Summary
- SecurityContextHolder, stores security context, provides methods to access SecurityContext
- SecurityContext, which holds the Authentication object, usually represents the authentication details of a specific request (ThreadLocal storage mode)
- Authentication, in spring security represents the authentication subject
- GrantedAuthority, which represents an application-level license information paid to the user
- UserDetails, providing the necessary information to build an Authentication
- UserDetailsService, get a UserDetails by passing in the user name or certificate ID