Wednesday, June 23, 2010

Ramp Up on Spring Security 2.0.x

  1. What allows web.xml to leverage spring style configuration for Spring Security?
    Configuring a DelegatingFilterProxy in web.xml links the two together.

  2. How does Spring Security simplify the use of DelegatingFilterProxy?
    Usually we would have to create a Filter and then configure it by naming its bean the same as the filter-name for DelegatingFilterProxy. BUT instead the process is simplified if we provide springSecurityFilterChain as the filter-name and use the <http/> configuration element, which auto creates a default springSecurityFilterChain for us.

  3. Are the positions for the standard Filters in Spring Security always fixed?

  4. What does the concept of "authentication mechanism" refer to in Spring Security?
    It refers to collecting authentication credentials/details from a user agent (usually a web browser).Examples are form-based login and Basic authentication. Once the authentication details have been collected from the user agent, an Authentication "request" object is built and then presented to the AuthenticationManager.

  5. What is the function of an AuthenticationProvider?
    An AuthenticationProvider takes an Authentication request object and decides whether or not it is valid and then it will either throw an exception or return a fully populated Authentication object. Most AuthenticationProviders will ask a UserDetailsService to provide a UserDetails object. The resultant UserDetails object - and particularly the GrantedAuthority[]s contained within the UserDetails object - will be used when building the fully populated Authentication object.

  6. What is the function of an AuthenticationManager? What are its benefits?
    An AuthenticationManager is responsible for passing requests through a chain of AuthenticationProviders. Each Provider will be fed its respective "authentication mechanism" counter-part and proceed to validate the request, therefore, having a chain allows us to support various forms of authentication.

  7. What is the purpose of the <security:custom-authentication-provider/> element?
    AuthenticationProvider bean definitions can be marked for addition to the list maintained by AuthenticationManager using the <custom-authentication-provider/> element.

  8. What is the major difference between the configuration for spring-security 3.0.x vs 2.0.x?

  9. How/Where does SecurityContextHolder store details of the principal currently using the application?
    By default, it uses a ThreadLocal to store these details. But you can choose between one the following modes:
    • SecurityContextHolder.MODE_GLOBAL
    • SecurityContextHolder.MODE_THREADLOCAL (default)
  10. What can be used for storing a SecurityContext between HTTP requests?

  11. What is the function of a ChannelProcessor?
    A ChannelProcessor will review the request, and if it is unhappy with the request (e.g. if it was received across the incorrect transport protocol), it will perform a redirect, throw an exception or take whatever other action is appropriate.

  12. How do you decide whether a security check belongs in a ChannelProcessor or an AccessDecisionVoter?
    ChannelProcessor is designed to handle unauthenticated requests, whereas AccessDecisionVoter is designed to handle authenticated requests.

  13. Question TBD
    Answer TBD


Post a Comment