How does Spring Security's authentication and authorization process work?

Spring Security provides authentication and authorization mechanisms, including: Authentication: Check the validity of user credentials using an authentication provider, such as using username and password or LDAP authentication. Authorization: Use an access decision manager to compare user permissions and the requested URL to determine whether to grant access based on an access decision, such as AffirmativeBased (any matching role allows access) or ConsensusBased (all matching roles allow access). Practical case: RBAC (role-based access control): Use UserDetailsService to define roles, use RoleHierarchyVoter to establish the role hierarchy, and use AffirmativeBased to access the decision manager for authorization.

Spring Security’s authentication and authorization process

Authentication

Spring Security authenticates through an authentication provider, such as:

• UsernamePasswordAuthenticationProvider (authenticates using username and password)
• UserDetailsService (authenticates user using custom logic)
• LDAPAuthenticationProvider (via LDAP authentication)

1. The client sends an authentication request to the authentication server, which contains the username and password.
2. The authentication server hands the credentials to the relevant authentication provider.
3. The authentication provider checks the validity of the credentials and returns an authenticated UserDetails object.

Authorization

After successful authentication, Spring Security authorizes through the access decision manager, which includes:

• AccessDecisionManager (determines whether access permission is granted)
• AffirmativeBased (any Role matches to allow access)
• ConsensusBased (all Roles match to allow access)

Authorization Process:

1. The authentication server retrieves the permissions in the UserDetails object.
2. The Access Decision Manager compares user permissions to the requested URL.
3. Based on the access decision, decide whether to grant access permission.

Practical case: role-based access control

In the role-based access control (RBAC) scenario, you can perform the following steps to use Spring Security Authorization:

• Define a UserDetailsService that returns UserDetails with the appropriate role given a username.
• Configure RoleHierarchyVoter to establish a role hierarchy.
• Configure AffirmativeBased Access Decision Manager.

Configuration

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) {
        auth.userDetailsService(userDetailsService());
    }

    @Override
    protected void configure(HttpSecurity http) {
        http.authorizeRequests()
                .antMatchers("/admin/**").hasRole("ROLE_ADMIN")
                .antMatchers("/user/**").hasRole("ROLE_USER")
                .anyRequest().permitAll();
    }

}

UserDetailsService

@Service
public class UserDetailsServiceImpl implements UserDetailsService {

    @Override
    public UserDetails loadUserByUsername(String username) {
        User user = userRepository.findByUsername(username);
        return new UserDetailsAdapter(user);
    }

}

UserDetailsAdapter

public class UserDetailsAdapter implements UserDetails {

    private final User user;

    public UserDetailsAdapter(User user) {
        this.user = user;
    }

    // ... UserDetails implementation methods ...

}

The above is the detailed content of How does Spring Security's authentication and authorization process work?. For more information, please follow other related articles on the PHP Chinese website!