Spring Security provides comprehensive security services for J2EE-based enterprise software applications.
There are two important concepts in application security.
- Authentication is the process of establishing a principal is who they claim to be, generally that information comes in form of username/password.
- Authorization refers to the process of deciding whether a user is allowed to perform an action within your application.
In Spring Security, and as summary, we can say that two classes are responsible of implementing each concept:
- Main interface for Authentication is AuthenticationManager. The default implementation is ProviderManager. This rather than handling request itself, it delegates it to a list of AuthenticationProviders which each one tries to perform the authentication against its back-end with username and password provided. An example of providers is DaoAuthenticationProvider, LdapAuthenticationProvider...
- Main interface for Authorization is AccessDecisionManager. Spring Security includes several AccessDecisionManager implementations that are based on voting. Three AccessDecisionManagers are provided: AffirmativeBase (grants access if any voter returns an affirmative response), ConsensusBased ("Consensus" here means majority-rule (ignoring abstains) rather than unanimous agreement (ignoring abstains)), and UnanimousBase (requires all voters to abstain or grant access). In fact voters are the most important concept of authorization process, because are the final responsible of granting or not access to a resource.
Imagine next problem, you have developed a website for an online television, where only during daylight programs are live broadcasted and recorded, and during night programs recorded during day are rebroadcasted. Because of bandwidth problem, only registered users with ROLE_USER can watch live programs, but the rest of the world (registered or not) can watch at night the programs recorded during the day.
There are many approaches for developing that requirement, but how about implementing a voter that votes affirmative when it is night and negative when it is day?
See that most important method is vote. This method receives the caller invoking method, the secured object and the configuration attributes associated with the method being invoked and only returns if it grants, if it denies or if it abstains access to resource. Because our requirements are as easy as comparing if it is day or night these attributes are not used.
And I suppose you are wondering, "Ok man so easy, but how I register this new voter to the AccessDecisionManagers object?". Well it is also easy, the only inconvenience is that namespaces does not provide this feature and beans should be configured as old-school spring security files.
At line 1 we are configuring the security to http calls as usually but instead of relying on default decision manager, we are referencing to an access decision defined below.
At line 5, an AffirmativeBased decision manager is created, with two voters, one that will grant access if user have required role (line 8) and another one that is NightVoter implemented above granting only access if it is night.
And finally Authentication Manager beans with inmemory approach.
I think is a clean solution of an authorization problem, and also shows how Spring Security can adapt to very different scenarios involving web security.