Spring Security - Authorization Process

Posted on In

Authorization process explained. Note that most of the time you don’t need to know the details of how authorization works.

Authorization Process

Pre-Invocation Handling - A pre-invocation decides whether the invocation si allowed to preceed. The decision is made by AccessDecisionManager.

After-Invocation Handling - Modify the object returned by the secure object invocation. AfterInvocationProviderManager. see https://docs.spring.io/spring-security/site/docs/current/reference/html5/#authz-after-invocation-handling for more information. This post will focus on Pre-Invocation Handling.

FilterSecurityInterceptor

  • FilterSecurityInterceptor implements Filter interface. it is a filter used by FilterChainProxy for Authorization purpose.
  • FilterSecurityInterceptor extends abstract class AbstractSecurityInterceptor
  • Refer to AbstractSecurityInterceptor for details on the workflow.
  1. FilterChainProxy invokes FilterSecurityInterceptor
  2. FilterSecurityInterceptor gets Authentication object from SecurityContext
  3. FilterSecurityInterceptor creates filterInvocatior. It passes FilterInvocation to SecurityMetadataSource to get configAttributes. ConfigAttributes are derived from antMatchers or mvcMatchers from HttpSecurity.
  4. FilterSecrurityInterceptor calls AccessDecisionManager’s decide method with authentication, filterInvocation and conffigAttributes as parameter
  5. If access is success, continue the invocation, otherwise throw AccessDeeniedException

AccessDecisionManager Interface

  • The AccessDecisionManager is called by the AbstractSecurityInterceptor and is responsible for making final access control decisions.
  • Javadoc
  • Source code

AccessDecisionManager source code

1
2
3
4
5
6
7
8
9
public interface AccessDecisionManager {
	void decide(Authentication authentication, Object object,
			Collection<ConfigAttribute> configAttributes) throws AccessDeniedException,
			InsufficientAuthenticationException;

	boolean supports(ConfigAttribute attribute);

	boolean supports(Class<?> clazz);
}

AccessDecisionManager‘s decide method uses all relavant information to decide whether to authorize user to the secure object.

There are 3 implementaions of AccessDecisionManager

  • AffirmativeBased - Simple concrete implementation of AccessDecisionManager that grants access if any AccessDecisionVoter returns an affirmative response. This is the default.
  • ConsensusBased - Simple concrete implementation of AccessDecisionManager that uses a consensus-based approach. So if majority go throught, it will grant access.
  • UnanimousBased - Simple concrete implementation of AccessDecisionManager that requires all voters to abstain or grant access. So ALL votes are needed to grant access.

Reference