Spring Boot

Security

https://docs.spring.io/spring-security/reference/

Servlet Authentication Architecture

This discussion expands on Servlet Security: The Big Picture to describe the main architectural components of Spring Security’s used in Servlet authentication. If you need concrete flows that explain how these pieces fit together, look at the Authentication Mechanism specific sections.

• SecurityContextHolder - The SecurityContextHolder is where Spring Security stores the details of who is authenticated.
• SecurityContext - is obtained from the SecurityContextHolder and contains the Authentication of the currently authenticated user.
• Authentication - Can be the input to AuthenticationManager to provide the credentials a user has provided to authenticate or the current user from the SecurityContext.
• GrantedAuthority - An authority that is granted to the principal on the Authentication (i.e. roles, scopes, etc.)
• AuthenticationManager - the API that defines how Spring Security’s Filters perform authentication.
• ProviderManager - the most common implementation of AuthenticationManager.
• AuthenticationProvider - used by ProviderManager to perform a specific type of authentication.
• Request Credentials with AuthenticationEntryPoint - used for requesting credentials from a client (i.e. redirecting to a log in page, sending a WWW-Authenticate response, etc.)
• AbstractAuthenticationProcessingFilter - a base Filter used for authentication. This also gives a good idea of the high level flow of authentication and how pieces work together.

• all endpoints are secured by default
• SecurityContext can be accessed anywhere in current thread.

Interface defining the minimum security information associated with the current thread of execution.

https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/core/context/SecurityContext.html

By default, SecurityContextHolder uses a ThreadLocal to store these details. Spring Security’s FilterChainProxy ensures that the SecurityContext is always cleared.

Thread-local variable in Java

Authentication Manager

AuthenticationManager is the API that defines how Spring Security’s Filters perform authentication.

ProviderManager

AbstractAuthenticationProcessingFilter

N

OpenID

OpenID Connect (OIDC) is an authentication standard built on top of OAuth 2.0. It defines an ID token type to pair with OAuth 2.0 access and refresh tokens.