Spring Security is a security framework that can provide declarative security access control solutions for Spring-based enterprise application systems. It provides a set of beans that can be configured in the Spring application context, making full use of Spring IoC, DI (Inversion of Control, DI: Dependency Injection) and AOP (Aspect Oriented Programming) functions to provide application systems with Declarative security access control capabilities reduce the effort of writing a lot of repetitive code for enterprise system security controls.
Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements
Features
Comprehensive and extensible support for both Authentication and Authorization
Protection against attacks like session fixation, clickjacking, cross site request forgery, etc
Servlet API integration
Optional integration with Spring Web MVC
Introduction to core classes
Authentication
Authentication is an interface used to represent user authentication information. Before the user login authentication, the relevant information will be encapsulated as an object of the specific implementation class of Authentication. After the login authentication is successful, a more comprehensive information will be generated, including user permissions and other information. Authentication object, and then save it in the SecurityContext held by the SecurityContextHolder for subsequent programs to call, such as the identification of access rights.
SecurityContextHolder
SecurityContextHolder is used to save SecurityContext. The SecurityContext contains the details of the user currently accessing the system. By default, SecurityContextHolder will use ThreadLocal to save SecurityContext, which means we can get the current SecurityContext from ThreadLocal in methods in the same thread. Because of the thread pool, if we clear the ThreadLocal every time after the request is completed, then it is safer to store the SecurityContext in the ThreadLocal. This work Spring Security has done for us automatically, that is, the ThreadLocal of the current thread will be cleared after each request ends.
A series of static methods are defined in SecurityContextHolder , and the internal logic of these static methods is basically implemented through SecurityContextHolderStrategy held by SecurityContextHolder, such as getContext(), setContext(), clearContext() and so on. The default strategy is ThreadLocalSecurityContextHolderStrategy based on ThreadLocal. In addition, Spring Security also provides two types of strategy implementations, GlobalSecurityContextHolderStrategy and InheritableThreadLocalSecurityContextHolderStrategy. The former indicates that the same SecurityContext is used globally, such as the client of the C/S structure; the latter uses InheritableThreadLocal to store the SecurityContext, that is, the child thread can use the parent thread variables stored in .