If you want to visit my place, you are always welcome! But be aware that there are two security officers guarding my place. Before allowing you in, they will ask all sorts of questions to verify your identity.
They will ask “Who you are?”, “What you are expecting to do?” to which you will have to answer. Depends on the answers my guards will either allow you to the house or restrict access. Just like the security personnel secures the properties by only allowing a verified set of people into the house, web applications will also be secured so that only a selected set of people will get access to it.
The question “who you are” will be asked to verify the user that is trying to access. For this question, the person will have to prove their identity, prove that they are not impersonating someone else. This is called authentication. After the authentication, the next question for the user will be, “what you are expecting to do”. Some of the things users intended to do on-site might not be possible due to permission restrictions. This check is referred to as authorization.
Typically, Adding security to the application is the same as adding a middle layer between user requests and the API resources to verify that the user is valid or not, for accessing the API resources. This layer will be acting between the users and the API resources and will request to get authentication and authorization for yourself. If the requests get appropriate responses, you would be granted access to the API resources; otherwise, our middle layer would block the arrival. So here, we will discuss how this layer can be implemented in spring boot applications.
In the spring boot, We have filters; spring boot has used the filters to create that middle layer. User Requests can be manipulated before hitting the API resources using these filters. When we add the following dependency in the pom.xml file, we will get the spring boot starter security.
What will happen after we add this dependency? This is well explained in the official spring-security site. When we add this dependency in our pom file, Spring boot enables the default configuration. It will create a user with the user as the username and generate a random password for the user that is printed on the console. When we start the application, All the endpoints will be directed to authentication using the default login form where we can give the username(“user”) and the generated password. This password storage will be protected by Bcrypt. Logout is also included in the default configuration of the spring boot security.
What’s happening here?
When a request comes from the user, the Spring boot security delegating filter will take the request before hitting the API resource. We can tell Spring boot, which authentication & authorization that we want. Filter bean can intercept all the requests. However, this is a delegating filter; it doesn’t do the job itself but instead, it delegates to a bunch of other spring-security specific filters to do different things depending on the URL being requested or the configuration we are going on for our spring application. Even in the default configuration, We have five or six internal filters when we add the dependency in our pom.xml file. Here, one of the filters is doing the authentication for your application, which intercepts all authentication requests and initiates the authentication process. We have other filters as well to do the authorization, session management, and other stubs.
Deep dive into authentication
Let us see how the question “Who are you?” will be handled in our application. In reality, What is authentication? Users can have credentials, and with those credentials, the application will validate the users. As we think, the user will send the user_credentials; the application will authenticate with the specific authentication mechanism and return a boolean value like the user’s credentials are valid or not. Absolutely, the same thing happens in the spring boot instead of returning a boolean value; it returns the principal. The principal contains information about the logged-in user.
Created from draw.io
For this process, we have to store the user credentials somewhere. For that, spring boot comes up with an object, which is called authentication. This authentication object stores not only the user credentials but also the principal as well. So this authentication object will hold the user credentials before the authentication process happens. After the authentication process, it will hold the principal. Other details about this authentication interface can be found in the official site.
Who does the authentication?
Spring security authentication can be performed using the providers. These providers are called as authentication providers( AuthenticationProvider). AuthenticationProvider is the actual one who does the authentication. This authentication provider has a specific method, which is called authenticate(). In our application, we have to implement the AuthenticationProvider interface and the authentication method to tell spring security about the authentication mechanism. The Spring security will call the implemented method to authenticate the user. The implemented method checks the user credentials and tells the application that the user is valid or not.
In summary, when the user sends the credentials, spring-security puts them into an authentication object. The authentication object goes to the implementation of the “AuthenticationProvider” interface’s authenticate method. The authenticate method will take this authentication object and examine the credentials if the credentials are valid the method will return the authentication object, instead of holding the credentials it holds the information about the logged-in user as principal. You can check out this official site for more information about the “AuthenticationProvider” interface.
In a real scenario, We can do the authentication in multiple ways such as basic auth, LDAP based authentication, OpenID connection, and more. Sometimes, a single application can also have various authentication mechanisms. For that, we may have multiple authentication providers, and each one knowing how to authenticate with a specific authentication mechanism. So how can spring security manage these authenticate providers? For that, spring-security has an authentication manager. It will manage to give the authentication to the correct authentication provider.
Authentication Manager
You may have multiple authentication providers. So what these authentication providers’ authenticate methods typically do? This method needs to access to the identity store. Once it gets the credentials, it can verify the user. Retrieving the user information will only change with authentication providers. So the spring security extracts userDetails from the authentication provider and it is called, “user details” service.
This service will take the user name, and it returns a UserDetails type object with the user details. This userDetails object will have all the information about the user whether the user account is valid, whether it’s locked or unlocked, and more than that. Once this User details object is returned from the user details service, then the authentication provider can do the authentication process.
The Authentication Flow
After the authentication process, the authentication object holds the principal for the request so that this authentication object will be saved in the thread security local context by the authentication filter. This is how authentication happens in spring boot.
0 Comments